This forum is closed to new posts and
responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:
We solved this issue by:
1. Only using the top 3 RC4 ciphers in the Internet Site documents (LDAP, SMTP, HTTP, IMAP).
2. SSL_DISABLE_RENEGOTIATE=1.
This enabled us to go from a "F" rating to a "B" rating. It did also get the sslabs site (www.ssllabs.com/) complaining that the disable renegotiate is a mask, not a fix, and suggests that all admins contact their vendors for critical updates to address the vulnerabilities.
Worse, according to SSLabs 50% of us are now only using the RC4 ciphers and now several new RC4 vulnerabilities have been found, so downgrading below "B" in the near future is supposedly imminent.
Domino 8.5.x and Domino 9 are vulnerable to the BEAST vulnerability. The only option is to dump/protect the Domino HTTP stack and run a proxy in front. If MS Windows 2008/2012 and Domino 9, use the IHS custom option, but WATCH THE SSL LOOP ISSUE!. If on another platform, you are out-of-luck. You have to do manual IHS/Apache install, or take the PCI / PII non-compliance penalties.
IBM welcomes PMRs:
"PMR requests for an IHS module for the Linux installation of Domino will increase weight added to the SPR and heighten awareness of customer needs. As always, this is welcomed."
Powell Pendergraft,
Lotus software IBM Software Group
Feedback response number WEBB97G97Q created by ~Lorraine Desgeroverli on 05/07/2013
PCI Compliance
Return to top
. . PCI Compliance (~Lorraine Desge... 7.May.13) 
