How is IBM Domino impacted by the POODLE attack?
How is IBM Domino impacted by the POODLE attack and what is the solution?
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, which is a man-in-the-middle attack affecting Web browsers. Browsers connecting via SSLv3 to Domino servers running HTTP are exposed to the POODLE attack. As browsers turn off SSLv3 and disable downgrading from TLS, they will be unable to connect to Domino over HTTP as Domino servers currently support only SSLv3.
IBM has released Domino server Interim Fixes that implement TLS 1.0 with TLS_FALLBACK_SCSV for HTTP to protect against the POODLE attack. Implementing TLS 1.0 for Domino will protect against the POODLE attack and will allow browsers to still connect to Domino after they have been changed to address the POODLE attack.
IBM has provided Interim Fixes for the following Domino releases:
9.0.1 Fix Pack 2 – http://www.ibm.com/support/docview.wss?uid=swg21657963
9.0 – http://www.ibm.com/support/docview.wss?uid=swg21653364
8.5.3 Fix Pack 6 – http://www.ibm.com/support/docview.wss?uid=swg21663874
8.5.2 Fix Pack 4 – http://www.ibm.com/support/docview.wss?uid=swg21589583
8.5.1 Fix Pack 5 – http://www.ibm.com/support/docview.wss?uid=swg21595265
Refer to the following wiki article for more information on protocols: IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack:
In addition, IBM intends to provide hotfixes for other 8.5.x or 9.x releases on demand. Contact IBM to open a PMR via the IBM Support Portal if you require a hotfix for these other releases.
Note: For any Domino release, a proxy server in front of Domino to handle TLS communication will also address this issue. Select a proxy server that disables SSLv3 or prevents downgrading a TLS communication down to SSLv3. Domino 9.0x for Windows has a proxy solution by including the IBM HTTP Server (IHS) that supports TLS. For more information on this topic, refer to technote 1612316 – “Is it possible to run IBM HTTP Server (IHS) on the same computer as a Domino server?”
DEVICE=bond0 IPADDR=192.168.1.1 NETMASK=255.255.255.0 ONBOOT=yes BOOTPROTO=none USERCTL=no NM_CONTROLLED=no BONDING_OPTS="bonding parameters separated by spaces"
DEVICE=ethX BOOTPROTO=none ONBOOT=yes MASTER=bond0 SLAVE=yes USERCTL=no NM_CONTROLLED=no
bringing up interface bond0 connection activation failed master connection not found or invalid
步骤1：chkconfig NetworkManager –level 2345 off
步骤2：service NetworkManager stop
IE选项, 在 “常规” 选项卡的浏览历史记录右方找到 “设定” 按钮
按下 “移动资料夹” 来调临时文件夹的存放位置。
about:config中 “新增” → “字串” browser.cache.disk.parent_directory
程序启动参数中添加 –disk-cache-dir=”T:\temp\” –disk-cache-size=262144000
日历配置 Sched, CalConn, RnrMgr
resource.nsf （resrc8.ntf） 添加管理员角色[Create Resource]
tell RnRMgr show Room
[1E1C:0002-1510] 2014/04/30 14:37:50 RnRMgr: Room not found in schedule database
Best Practices to prevent the accidental deletion of meetings and other calendar related documents http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Best_Practices_to_prevent_the_accidental_deletion_of_meetings_and_other_calendar_related_documents
Example: Running an agent on selected documents in the iNotes inbox http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Example_Running_an_agent_on_selected_documents_in_the_iNotes_inbox