Security is ALL
First, there have been a number of discussions on how to extract the private key from the Domino-crafted .kyr SSL keyfile. While we have used IKeyMan for other projects, in this case we took the easier route of just reissuing the key from GeoTrust– this allowed us to start with a Domino CSR and keyfile and then just reissue in an alternate format for use with nginx. Do proceed with caution if you look at this route, however: while GeoTrust has a policy of continuing to verify the old keys through reissuance others (GoDaddy, at least) will revoke the old certificates, rendering any direct traffic to Domino untrusted.
But with all this done, why the Big Red X when testing for the vulnerability? While TLS was the preferred security, SSLv3 was still enabled as a backup.
Checking out the nginx configuration the ssl_protocols seemed set correctly: only TLSv1 was listed. Looking at the ssl_ciphers, however, we were able to find the culprit: a fallback to SSLv3 for lower security. Examining suggestions from across the web for a secure set of ciphers that would not be vulnerable, we ultimately went with those from StackExchange’s information security forum here. A quick commenting of previous ciphers, addition of the new ones, and a few seconds for a restart and we were able to prove the vulnerability had been patched against.
Are there any concerns about client incompatibility, though? Not many, at least: TLS has been built into the most popular browsers for years (http://en.wikipedia.org/wiki/Transport_Layer_Security). IE7, for reference, was released October 18, 2006, so it will have been supported there 8 full years as of tomorrow. I imagine someone out there still is using IE6, but for the protection of the masses this is a clear and easy decision.
Interested in getting your sites a quick security patch or in further discussing this with us? Contact us today.
Darren Duke’s post about the SHA-2 SPR: http://blog.darrenduke.net/darren/ddbz.nsf/dx/so-domino-and-sha2…..theres-a-spr-for-that.htm
Bill Malchisky’s excellent (and continuously updating) post on POODLE and efforts to combat it in Domino: http://www.billmal.com/billmal/billmal.nsf/dx/ssl3.poodle.intro.htm