We received a security audit report. On this report it says that our
Domino servers exposed to the web allow certain faulty SSL connections.

I'll list them below, however, let's keep the 'meat' of this email at the
top.
I'm running Domino 9.0.1FP5 with SE19016 and L605346.

My Internet sites document has:
Security tab
SSL Security paragraph
SSL ciphers:
RC4 encryption with 128-bit key and MD5 MAC
RC4 encryption with 128-bit key and SHA-1 MAC
Triple DES encryption with 168-bit key and SHA-1 MAC
DES encryption with 56-bit key and SHA-1 MAC
RC4 encryption with 40-bit key and MD5 MAC
Ones that I am not using include:
AES encryption with 128-bit key and SHA-1 MAC
AES encryption with 256-bit key and SHA-1 MAC
No encryption with MD5 MAC
No encryption with SHA-1 MAC

"Enable SSL V2:" is not checked
(SSL V3 is always enabled)

Will disabling certain ones reduce or eliminate the errors below?
I don't need to enable any ones that are not selected, do I?

List of errors:

TLS/SSL Server is enabling the BEAST attack (CVE-2011-3389)
The Payment Card Industry (PCI) Data Security Standard requires a minimum
of TLS v1.1 and recommends TLS v1.2. In addition, FIPS 140-2 standard
also requires a minimum of TLS v1.1 and recommends TLS v1.2.
Negotiated with the following insecure cipher suites: SSL 3.0 ciphers:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS 1.0 ciphers:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS/SSL Server is enabling the POODLE attack (CVE-2014-3566)
The Payment Card Industry (PCI) Data Security Standard requires a minimum
of TLS v1.1 and recommends TLS v1.2. In addition, FIPS 140-2 standard
also requires a minimum of TLS v1.1 and recommends TLS v1.2.
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS/SSL Server Supports SSLv3
The Payment Card Industry (PCI) Data Security Standard requires a minimum
of TLS v1.1 and recommends TLS v1.2. In addition, FIPS 140-2 standard
also requires a minimum of TLS v1.1 and recommends TLS v1.2.

TLS/SSL Server Supports TLS version 1.0
The Payment Card Industry (PCI) Data Security Standard requires a minimum
of TLS v1.1 and recommends TLS v1.2. In addition, FIPS 140-2 standard
also requires a minimum of TLS v1.1 and recommends TLS v1.2.

TLS/SSL Server Supports The Use of Static Key Ciphers
The server is configured to support ciphers known as static key ciphers.
These ciphers don't support "Forward Secrecy". In the new specification
for HTTP/2, these ciphers have been blacklisted.
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
TLS 1.0 ciphers:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
TLS 1.2 ciphers:
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS/SSL Server Supports 3DES Cipher Suite
Negotiated with the following insecure cipher suites: SSL 3.0 ciphers:
TLS_RSA_WITH_3DES_EDE_CBC_SHA


Rob Berendt

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact [javascript protected email address].