Improve your Domino SSL configuration, make your server more secure

Recently, Stephen Wissel tweeted a link to the Qualys SSL Labs SSL Server Test. That site allows you to enter the URL of an (internet facing) server that has SSL enabled and can then perform a deep analysis of the SSL configuration of that server. You may or may not know that Secure Sockets Layer comes in different flavours: v2, v3, TLS (Transport Layer Security; SSL’s successor), and more. Also, an SSL configuration can support various Cipher Suites (some of which are less secure than other) or can be vulnerable for things like the BEAST attack. So it’s not like SSL is on or off: there’s a bit more nuance to that.

Most people reading this will probably now run off to the SSL Server Test and enter the URL to their IBM Domino server. So did I the first time I read about it. Go ahead, I’ll wait…

I guess you were expecting a straight A-grade, but were suprised (or shocked) you didn’t. My first score (on a vanilla Domino server) was an F. That shocked me, so I did a bit of research. I found out that just like in school you don’t get an A for free.

So what can you do to get a better score on a Domino server? Here are two of my personal recommendations:

Disable insecure negotiation

Described here and here this allows for a man-in-the-middle attack and is enabled by default in Domino. Easy fix: add SSL_DISABLE_RENEGOTIATE=1 to your notes.ini.

Disable older, less secury ciphers

Recent browsers support more secure ciphers (AES), but Domino by default still allows older, weaker ciphers (DES, RC4). You can configure what ciphers Domino should support:

  • Open your names.nsf and open the server or internet site document for your server/ site.
  • Go to the Security tab and click Edit
  • In the SSL security section click the Modify button in the SSL ciphers field
  • Disable the SSL ciphers you don’t want to allow anymore. The only two I have enabled are: RC4 encryption with 128-bit key and SHA-1 MAC AES encryption with 256-bit key. There is some debate on if you should enable RC4. I have enabled it, but leave the choice up to you.

Restart your server and run the SSL test again. That looks a lot better, doesn’t it? Now you can go to bed feeling a bit safer.

Disclaimer: I’m no security expert, but after performing some research I think you’re safer with these easy changes (and so do the Qualys SSL Labs). Please correct me if I’m wrong. Of course I won’t take any responsibility for any of these recommendations.

One thought to “Improve your Domino SSL configuration, make your server more secure”

  1. You could also use Apache or Nginx as reverse proxy for your Domino server. Those support TLS v1.1 and v1.3 in addition to SSLv3. NginX is quite light-weight compared to Apache or the IBM Webserver included with Domino 9.

    At the moment I use Apache as a SSL Reverse proxy to Lotus Traveler, which works fine. Also, you don’t have to deal with Domino obscure .kyr format for SSL private keys anymore 😉

    There is good article on securing Apache and Nginx with SSL over here:

    https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

    I would recommend to disable RC4 too. Most browsers already solved the BEAST-attack issue.

    Jeroen

Comments are closed.