Wieder führt IBM mit einem Interim Fix neue Funktionen ein: Neben einigen
Verbesserungen gibt es im Interims Fix 2 für IBM Domino 9.0.1 Fix Pack
4 etwas Neues, auf das wir schon gewartet haben: Elliptic Curve Diffie-Hellman
Key Exchange (ECDHE).
"Introduce support for Elliptic
Curve TLS_ECDHE for compatibility with Apps compiled for Apple iOS 9.0
/ OS X 10.11. This adds Elliptic Curve support for HTTP/HTTPS, LDAP/LDAPS,
SMTP, IMAP, and POP3." (SPR KLYH9YNR8F)
Anders als üblich werden die neuen Verfahren
automatisch aktiv - solange man keine SSLCipherSpec-Einstellung in der
notes.ini definiert hat. Dann sollte man dort die neuen Codes ergänzen:
- ECDHE_RSA_WITH_AES_256_GCM_SHA384 (C030)
- ECDHE_RSA_WITH_AES_128_GCM_SHA256 (C02F)
- ECDHE_RSA_WITH_AES_256_CBC_SHA384 (C028)
- ECDHE_RSA_WITH_AES_256_CBC_SHA (C014)
- ECDHE_RSA_WITH_AES_128_CBC_SHA256 (C027)
- ECDHE_RSA_WITH_AES_128_CBC_SHA (C013)
Was noch wichtig ist: Die ECDHE-Varianten
sind immer höher priorisiert als die jeweiligen DHE-Verfahren, um die bessere
Performance dieser Algorithmen zu nutzen. "ECDHE ciphers are prioritized
over the equivalent DHE ciphers to improve performance"
Man kann, wenn man will, auch bestimmte
Kurven deaktivieren:
"NIST P-256, NIST P-384, and NIST
P-521 are supported. The fastest (smallest) mutually supported curve will
be chosen by the Domino server as per standard practice. Individual curves
can be disabled via SSL_DISABLE_CURVE_P256=1, SSL_DISABLE_CURVE_P384=1,
and SSL_DISABLE_CURVE_P521=1. We recommend disabling all ECDHE ciphers
if all curves are disabled to improve performance."
Im Kommentar vom 25.09.2015 zum TLS
Cipher Configuration-Wiki-Artikel gibt Dave Kern noch einige gute Hinweise:
"ssllabs.com deems a number of
browsers to be "reference" browsers, and will not give full credit
for PFS unless all of the reference browsers would use PFS ciphers by default.
Unfortunately, their "reference" browser list includes a number
of old versions of IE that do not support the DHE ciphers. Upgrading from
9.0.1 FP4 to 9.0.1 FP4 IF2 (and removing your SSLCipherSpec ini) will add
ECDHE ciphers that are supported by those old "reference" versions
of IE and boost your score.
Another way to improve the security
of your server and (incidentally) boost your score at ssllabs.com is to
disable plaintext http and configure HSTS with a duration of at least 6
months. Check out the wiki article for HSTS for more information."
Die für iOS 9 neu kompilierten Apps
können jetzt also kommen.
Quellen:
TLS
Cipher Configuration
Apple's
App Transport Security prevents apps from connecting to a Domino server
Interim
Fixes for 9.0.1.x versions of IBM Notes, Domino, iNotes & Notes Browser
Plug-in
Downloads
des 9.0.1 FP 4 IF 2