SSL Breaks After Upgrading To Domino 10.0.1

Beginning with Domino 10.0.1, SSL cipher options are configurable in the Security tab of Internet Site documents or in the Ports tab of Server documents (depending on if you have or have not enabled Internet Site Documents). All of the supported SSL ciphers are now listed clearly, in order of strength, for easy selection.

In my experience, when “Load Internet configurations from Server\Internet Sites documents” is disabled, the post-upgrade enables NO ciphers by default.

In contrast, ALL (non-weak) ciphers are selected post-upgrade for Internet Site Docs.

If you ARE NOT using Internet Site Docs
To review the current settings, go to the Server doc > Ports > Internet Ports > SSL settings and click the “Modify” button in the “SSL ciphers” field.

If you ARE using Internet Site Docs
To review the current settings, go to the Domino Directory, expand Web, and choose “Internet Sites.” Then open the corresponding Internet Site document and go to the “Security” tab. In the SSL Security section, click the “Modify” button in the “SSL ciphers” field.

When the right ciphers aren’t selected, besides HTTPS pages not rendering in browsers, you will also see something like this on the console or in the log: TLS/SSL connection failed with no supported ciphers

Click this link for IBM’s KB Article about the New SSL cipher configuration for Domino 10.0.1

 

 

TLS For Domino SMTP

Those that are already using or considering enabling secure SMTP sessions using STARTTLS for Domino should either disable it / wait for now (until SPR# MKENA4SQ7R is resolved in an IF or 9.0.1 FP6), obtain hotfix(es) directly from IBM, or risk the inability to deliver/receive TLS with (at least) some @outlook.com addresses.

For those using (or planning to use) TLS, you should also look at adding the SSL_SESSION_SIZE notes.ini setting. When the setting is not used, the value defaults to 5000 and this is too low to prevent errors like:

02/25/2016 12:23:52 PM New SSL session data length of 5121 bytes is larger than the current size of 5000 bytes.
02/25/2016 12:23:52 PM You may want to set the Notes.ini variable SSL_SESSION_SIZE to at least 5121 bytes.

Note that the server suggested the 5121 value in this example (presumably based upon the handshake with the external server) and I’ve been unable, as yet, to find any other scientific method for determining what other value might be better.

GoDaddy SSL Certificate Type Per Server Type

After GoDaddy generates an SSL Certificate, the next step is to download the Zip file that matches your hosting server type. Then, install all of the certificates in the Zip file on your hosting server, including any intermediate certificates that might be needed for older browsers or servers. To download this zip file, click on the “Server Type” dropdown menu.  You are presented with the following options:

2015-08-22_22-11-04

However, if your server type isn’t listed, it isn’t necessarily obvious which server type to choose. If you know the certificate file type you need, here are the file types each option will provide:

Apache > .crt with .crt bundle

Exchange > .crt with .p7b intermediates

IIS > .crt with .p7b intermediates

Mac OS X > .crt with .crt bundle

Tomcat > .crt with .crt bundle with gdig2.crt

Other > .crt with .crt bundle