If you run a Nessus scan (or similar software) against a Domino HTTP Server you might get the following result:

- SSL Weak Cipher Suites Supported

- SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability (so called 'BEAST Secure Socket Layer (SSL) 3.0 exploit')

Fixing this "issue" (= disable the affected cipher) is quite easy:

The SSL ciphers can be modified either via the Domino Administrator, or via the notes.ini file. Because of the reason that it is much quicker to do that via Domino Administrator I will list that solution here:

1.) Open the names.nsf (Addressbook) on your domino server

2.) Switch to "Configuration" -> "Servers" -> "All Server Documents"

3.) open the server document where you wish to change the cipher

4.) in the server document click on "Ports" -> "Internet Ports"

5.) To solve the "SSL Weak Cipher Suites Supported" click on "Modify" and ensure that only the following ciphers are enabled:

AES encryption with 128-bit key and SHA-1 MAC (Domino 8+ only)
AES encryption with 256-bit key and SHA-1 MAC (Domino 8+ only)
RC4 encryption with 128-bit key and MD5 MAC
RC4 encryption with 128-bit key and SHA-1 MAC
Triple DES encryption with 168-bit key and SHA 1 MAC

Ensure that the following is disabled:

DES encryption with 56-bit key and SHA-1 MAC
RC4 encryption with 40-bit key and MD5 MAC
No encryption with MD5 MAC
No encryption with SHA-1 MAC

and "Enable SSL v2" is set to No.

If you also wish to solve also the "BEAST Secure Socket Layer (SSL) 3.0 exploit" you need also disable the following:

AES encryption with 128-bit key and SHA-1 MAC (Domino 8+ only)
AES encryption with 256-bit key and SHA-1 MAC (Domino 8+ only)
Triple DES encryption with 168-bit key and SHA 1 MAC

So that only the two here:

RC4 encryption with 128-bit key and MD5 MAC
RC4 encryption with 128-bit key and SHA-1 MAC

are activated. The problem with the three SSL/TLS ciphers above (AES and Triple) are that they use the Cipher Block Chaining (CBC) mode. So the only solution to solve the BREAST vulnerability is to use only encryption algorithm that doesn’t use CBC, like those based on the RC4 stream cipher.

Disable weak SSL cipher on IBM Lotus Domino

6.) If you use TLS on your domino mailexchanger or HTTPS on your domino webserver you need to restart your server via "tell domino restart" in order to activate the settings.

 

For more information visit:

SSL Weak Cipher Suites Supported

SSL cipher

IBM Lotus Domino remedy for BEAST Secure Socket Layer (SSL) 3.0 exploit recently published

SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability

Leave your comments

Post comment as a guest

0

Comments

    • No comments found