I've walked across the hot coals and installed IHS (the IBM HTTP Server) on our Domino 9.0.1 server to address the POODLE vulnerability.  In doing so I disabled SSL 3.0 (and 2.0) on the IHS server, of course.  Everything is hunky dory and the server tests great using the neat Qualys SSL security test (HERE: https://www.ssllabs.com/ssltest/index.html).  BUT, the IHS server now throws up warning errors in the IHS "error.log" for every HTTPS connection, even though the connections succeed.

The warning is:

[Sun Oct 19 18:13:06 2014] [warn] [client xx.xxx.xxx.xxx] [109d188] [3220] SSL0222W: SSL Handshake Failed, No ciphers specified. [xx.xxx.xxx.xxx:37578 -> <serverIP>:443] [18:13:06.000141205]

The "xx.xxx.xxx.xxx" is some outside connecting HTTPS connection coming through IHS, and the "<serverIP>" is the private IP of the Domino server running IHS (and Domino HTTP, of course).

It appears that IHS is complaining that it can't pass the connection to the now-proxied Domino HTTP server because it can't find a common cipher -- which is by intent, because the entire purpose here was to disable  SSL 3.0 to address "POODLE".  SSL 3.0 (or 2.0) is the only SSL common cipher the Domino HTTP and IHS could speak.  But SSL 3.0 has been turned off on IHS.  The bottom line is that the two web servers are never going to speak a common SSL tongue without IBM updating the Domino SSL stack (which would make IHS redundant...)

So, is there a way to stop the errors or suppress the error messages?  Should I worry about the error messages? The error log is going to get big, fast.

What a kludge.  Though it works, and I appreciate that there even is a solution to POODLE for Windows Domino machines, IBM needs to make this completely transparent to the customer.  I don't care if the solution is to integrate IHS into Domino, but it should feel like a monolithic product, not some add-on (that turns out to be vital).