Taming the Poodle in IBM Domino 9 0 1

Taming the Poodle in IBM Domino 9 0 1

Theres been a lot of talk lately about the Poodle Vulnerability and IBM have provided a rather slow and confusing response full of similarly named files across multiple web pages. Weve mostly gotten our systems sorted now but as it was a difficult process, I thought Id share some of the things Ive learned.  If nothing else, Im sure that other people could benefit from the fix lists being in the one place.  Huge thanks to the guys in the IBM Notes groups on LinkedIn who provided most of the best insights here.

The poodle vulnerability isnt a new thing (its 15 years old) but recently browser vendors, particularly Mozilla (and soon Google) have have issued upgrades which block access to vulnerable sites by default. I guess that means its time to deal with it. 

This is what the Firefox error message looks like.

One more thing.... In case youve already dealt with poodle and you think that your system is safe because Mozilla Firefox is no longer complaining, heres a good test; 

https://www.ssllabs.com/ssltest/

Just enter your server domain in the box (and make sure that you tick the box about NOT showing up on the boards. If youre safe, youll get an A or a B.  If youre still vulnerable to poodle, youll get an F.


Being on the Latest IBM Domino server
So, the first port of call is to be on the latest IBM server if possible.  Thats Release 9.0.1.

IBM has actually provided fixes for a few other versions of domino, so its not the end of the world if youre not on the latest, provided that youre on one of these.

• 9.0.1 Fix Pack 2
• 9.0
• 8.5.3 Fix Pack 6
• 8.5.2 Fix Pack 4
• 8.5.1 Fix Pack 5

However, Ive heard that the 8.5 releases dont include the full fix (I could be wrong). So, a 9.x release is a better bet.

Working out what version/patch your Server is
There are a bunch of different ways to do this but my favourite is to simply fire up the Notes admin client and connect to the server.  Youll see the patch level  in the top left.

Release 9.0.1FP2HF590 is the first version of Domino (for 64 bit Windows) which is fully patched against Poodle.   If your server has a higher number (eg: 9.0.2 or 9.0.1FP3 or 9.0.1FP2HF700) then you should be fine. If its a lower number, then you probably have work to do.


Patching
The patches are actually quite simple to install provided that you download all of them and install them in the right order.  Its best to make folders (and copy them all to an install folder on your server) before starting anything.

The patches youll need for a basic unpatched Windows 64 bit Domino 9.0.1 installation are as follows (in this order);

Domino 9.0.1 Fix Pack 2
http://www-01.ibm.com/support/docview.wss?uid=swg24037141

You dont have to install Fix Pack 1 because fix packs are cumulative (they contain the earlier fixes too).

Interim Fixes 1, 2 and 3

Unlike the fix packs, interim fixes are not cumulative, you need to install them all and in the exact order.

• Domino 9.0.1 Fix Pack 2 Interim Fix 1 (This was released twice, so make sure that you have the version from Nov 5, not Nov 3)
• Domino 9.0.1 Fix Pack 2 Interim Fix 2 (released December 12, 2014)
• Domino 9.0.1 Fix Pack 2 Interim Fix 3 (released December 19, 2014)

You should be able to find most of the patches here;
http://www-01.ibm.com/support/docview.wss?uid=swg21657963

Once youve got all your patches in the right place, youll need to find an outage window to shut down your server. Its strongly recommended that you do a backup before proceeding.

To install the fixes, simply run the EXE files and follow the prompts, they should take only a few minutes each.  Its not always necessary for a server reboot between fixes but Ive had variable results trying to cheat, so its worth the extra time on important production servers.

Be careful because some of the fixes look like theyre done (with graphs sitting at 100% and a thank you message and a close button).  Its not finished until the bar graphs disappear.

Before you do your final reboot, theres an INI File setting that you need to change.


The INI File Setting
Use Notepad to edit your systems Notes.ini file.
Add a line (pretty much anywhere in the file), which says;

DISABLE_SSLV3=1

Im fairly certain that this overrides the unsupported command;

DEBUG_UNSUPPORTED_DISABLE_SSLV3=17

So if you see that setting you can probably remove it.
After this you can reboot your server, do your testing and redo the Qualys test.
https://www.ssllabs.com/ssltest/


Other Fears and Concerns.
Ive tested this on servers running Traveler, Domino and iNotes.  It seems to work. I havent tested on the current version of Sametime.

Theres some discussion around suggesting that this affects mail,  I didnt see any impact on mail.

You dont need to get a new SSL certificate. The old ones should still work with TLS.


Other things to Consider
There seems to be a patch for Traveler too, so this is probably worth applying.
I havent gotten around to testing that one yet.

https://www-304.ibm.com/support/docview.wss?uid=swg1LO82423


Problems.
The main problem I found was this message;

From what I can tell, its indicating that youre installing fixes either in the wrong order (or that Interim  Fix 1 is the wrong dated version).

One time when I received this, I just had to go back to the beginning and install Fixpack 2 and then the hotfixes carefully.  On another server, I cant get past this message (and suspect that a certain amount of uninstalling or rollback will be required).

Like I said, backup before you do this and best of luck Taming your poodle.

download file now