Solving the Domino SSL V3 / SHA-2 / TLS / MD5 / Poodle problem on Linux – Part 1

Part 1 – ( This post ) What is the problem
Part 2 – Installing a simple Linux Reverse Proxy on the same box ( 20 mins )
Part 3 – Converting your Domino SSL Certificate to work with Apache (30 mins )

Update : IBM has published a plan to release fix packs to address these issues. Our plan is to stick with the Apache scheme ( or maybe Nginx in the future ) as it is easy to set up and gives us more flexibility.

What is the problem ?

There are a number of separate problems that can be solved ( from a Http perspective ) using the method set out here if you are running Domino on Linux

SSL3 is currently vulnerable and Domino cannot use anything newer

The Poodle exploit as detailed by Bill Malchisky means that server need to stop using SSL V3 until a fix is found. Unfortunately The newest protocol that Domino supports is SSL V3.

Certificates signed with the SLA1 algorithm are being deprecated

Google will be marking web sites protected by SHA-1 SSL certificates as suspect. This is not happening for some time but some suppliers have already stopped offering SHA-1 based SSL certificates. I suspect a lot more security audits will also mandate SHA-2 certificates.

Some SSL certificate providers will not accept Certificate Requests ( CSRs ) signed with MD5

All Domino CSRs are signed with MD5. Some SSL suppliers will not accept these Certificate Requests.

What is the solution suggested in this series of posts ?

The suggestion is to put an Apache Web server in front of Domino and have it manage all the SSL functionality. This is very simple to do.

This means that you can use SHA-2 based certificates and TLS1.2 connections rather than SSL V3. It also means that you do not need to use MD5 based CSRs

It does not help with SSL with respect to mail but there are similar mail proxys.

In this series of articles I am specifically talking about the scenario of adding an Apache server to the same Linux box as the Domino server. If you want a more sophisticated reverse proxy server managing traffic from several Domino servers then see this article from Darren Duke.

If you are even braver you could try Nginx rather than Apache

Part 2 – Installing a simple Linux Reverse Proxy on the same box ( 20 mins )