0

We currently have problems with a new Domino server (9.0.1) to install a current SSL certificate using Server Certificate Admin DB.

The CA is the German Telekom (Telesec). So far we have received CA1 certificates, the current is a CA2 certificate.

The CA2 certificate has a higher encryption (SHA-2).

Is SHA-2 algorithm for SSL supported with Domino? Any workarounds?

halfer
  • 19,824
  • 17
  • 99
  • 186
Reiner
  • 33
  • 7
  • thanks for the information. We tried it with the IBM HTTP Server. Unfortunately, by installing the HTTP server some things were overwritten. And also the plugins via updatesite are working no longer. – Reiner Sep 17 '14 at 10:47

4 Answers4

1

Domino 9.0.1 does not support SHA-2.

You can see that you're not the only one fighting with this, read the thread Recent interest in TLS SHA-2 certificates

as a "workaround" (not suggested) you can use (needed at install) "IBM HTTP Server" see: http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=0BBA1D75D92075FC85257D3B006FABB8 look also at the article: http://www.mcpressonline.com/commentary/in-the-wheelhouse-ibm-we-have-an-ssl-problem.html

[edit as time goes by...]

SHA-2 support available for IBM Domino 9.x starting from domino 9.0.1 Fix Pack 3

Emmanuel Gleizer
  • 1,990
  • 16
  • 26
1

IBM have now posted a fix pack to support TLS http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0

Richard Fenwick
  • 11
  • 1
  • If the question is about a limitation in a product, then a link to an update that fixes the limitation is a valid answer. – JasonMArcher Nov 10 '14 at 20:26
0

My understanding from my vendor (GoDaddy) is that any certificate which expires after 2017 must be issued with SHA-2 algorithm. Therefore if you renew for three years they have to use SHA-2.

Domino does not (yet) support SHA-2 and it is unclear if it ever will. If you are running under the Windows OS the IHS (IBM HTTP Server) is an option for you. But domino under other OSes (we are using Linux) have no such option.

GoDaddy support promptly credited my account and reissued the order for a two year renewal so I could get the certificate with an SHA-1 algorithm. The only thing I lost in the process was one month on the certificate.

At the recent MWLUG conference IBM Product Managers heard from several attendees that something needed to be done and that sooner was critical because it was already costing users effort and money. Hopefully there will be a fix.

halfer
  • 19,824
  • 17
  • 99
  • 186
Newbs
  • 1,632
  • 11
  • 16
0

I guess in the context of Poodle TLS not SHA-2 is critical, but anyway here is how to get SHA-2 working with Domino 9 without IBM HTTP. I did this multiple GSK kits and Server Certificate Administrator for Domino The instructions are quite massive and therefore it is easiest to go to the following link This is a blog post written by me and it is on my companys website http://www.infoware.com/?p=1592 TLS is NOT SOLVED by this only SHA-2. Regards Mats

Mats Ekman
  • 1
  • Please include the relevant details in your answer directly instead of linking to an external site. – b4hand Oct 21 '14 at 20:09