© 2014 IBM CorporationPowered by IBM SmartCloud Meetings
Poodle & SHA2
Secure your environment
Open Mic
Rahul Kumar
Techni...
2 © 2014 IBM Corporation
About Us
Rahul Kumar -Tech Lead -IBM Domino Server Team
Hansraj Mali – AP SWAT Team
Ranjit Rai – ...
3 © 2014 IBM Corporation
Agenda
1. What is Poodle
2. How Domino is affected by POODLE
3. POODLE Fix for Domino
4. Internet...
4 © 2014 IBM Corporation
What is Poodle
 POODLE stands for Padding Oracle On Downgraded Legacy Encryption.
 This vulnera...
5 © 2014 IBM Corporation
How Domino is affected by POODLE
 Newest versions of Chrome, FF, IE, Safari will prevent SSL con...
6 © 2014 IBM Corporation
Remediation/Fixes
 IBM has released Domino server Interim Fixes that implement TLS 1.0 with
TLS_...
7 © 2014 IBM Corporation
Remediation/Fixes
Domino Release Fix Pack/Interim Fix Download Links
9.0.1 Fix Pack 3 http://www-...
8 © 2014 IBM Corporation
Remediation/Fixes
To disable SSLv3 after applying Poodle Fix
 For the latest version of Domino (...
9 © 2014 IBM Corporation
Internet Encryption
 Public Key Cryptography also known as asymmetric cryptography
 Protects in...
10 © 2014 IBM Corporation
Internet Encryption
 Certificates identify who you are. In order for you certificate to be trus...
11 © 2014 IBM Corporation
Internet Encryption
 Public / private keys are used to encrypt conversations.
 Certificates pr...
12 © 2014 IBM Corporation
Domino's implementation of encryption for web servers
 Certificates are stored in a keyring
 K...
13 © 2014 IBM Corporation
SHA-1 and SHA-2 Certificates
 Domino 8.5.x and 9.x have used SHA-1 certificates
 SHA-1 hashing...
14 © 2014 IBM Corporation
Why SHA-2 Certificates
 Google Chrome, Opera, Firefox will begin to warn users that Domino web
...
15 © 2014 IBM Corporation
KYRTOOL
 Command Line Tool
 IkeyMan tool will not be required
 Overcome the limitations of Ce...
16 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Prerequisites
 Create a Domino keyring
 Gen...
17 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Prerequisites
 KYRTool
─ Download link: http...
18 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Create a Domino keyring
 keyring.kyr and key...
19 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Generate CSR (Certificate signing request)
─ ...
20 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Generate CSR (Certificate signing request) us...
21 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Generate CSR (Certificate signing request) us...
22 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Generate CSR (Certificate signing request) us...
23 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 To display private key (type server.key)
 To...
24 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Acquire an SSL/TLS certificate from a third p...
25 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Extracting roots
─ Select the intermediate ro...
26 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Extracting roots
─ Select the intermediate ro...
27 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Extracting roots
─ Select the intermediate ro...
28 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Extracting roots
─ Choose “Copy to File”
─ Ce...
29 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Concatenate server.key and server.pem into a ...
30 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Verify the Input file
 kyrtool =<notes.ini p...
31 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Import certificates
 kyrtool.exe =<path of n...
32 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Update Server and test
─ Copy keyring to serv...
33 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Verify certificate on server
─ Connect to ser...
34 © 2014 IBM Corporation
SHA-2 Server Certificate Using KYRTool & OpenSSL
 Troubleshooting / Debug
─ Verify if there are...
35 © 2014 IBM Corporation
Reference
 IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the
POODLE ...
36 | © 2014 IBM Corporation
Thank you
Q & A
Visit our Support Technical Exchange page or our Facebook page for details on ...
of 36

Poodle sha2 open mic

Open Mic presentation conducted on 25-Feb-2015 - for POODLE/SHA-2 - Secure your environment
Published on: Mar 4, 2016
Published in: Education      
Source: www.slideshare.net


Transcripts - Poodle sha2 open mic

  • 1. © 2014 IBM CorporationPowered by IBM SmartCloud Meetings Poodle & SHA2 Secure your environment Open Mic Rahul Kumar Technical Lead, IBM Domino Server Team IBM Collaboration Solutions
  • 2. 2 © 2014 IBM Corporation About Us Rahul Kumar -Tech Lead -IBM Domino Server Team Hansraj Mali – AP SWAT Team Ranjit Rai – AP SWAT Team J Rajendran – AP SWAT Team Narendra Nesarikar- Senior Manager – Facilitator for AP Open Mics
  • 3. 3 © 2014 IBM Corporation Agenda 1. What is Poodle 2. How Domino is affected by POODLE 3. POODLE Fix for Domino 4. Internet Encryption 5. Implementing Web Server Encryption on Domino 6. SHA-2 Certificates 7. Why to use SHA-2 on Domino 8. KYR Tool 9. SHA-2 Server Certificate Using KYRTool & OpenSSL
  • 4. 4 © 2014 IBM Corporation What is Poodle  POODLE stands for Padding Oracle On Downgraded Legacy Encryption.  This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.  POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3.  It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).
  • 5. 5 © 2014 IBM Corporation How Domino is affected by POODLE  Newest versions of Chrome, FF, IE, Safari will prevent SSL connections, allowing only TLS over HTTP  SMTP, LDAP, POP3, IMAP protocol vendors quickly follow suit moving from SSL to TLS  Latest versions of Google Chrome & Firefox browsers,receive the below errors ─ On Chrome A secure connection cannot be established because this site uses an unsupported protocol. Error code: ERR_VERSION_OR_CIPHER_MISMATCH ─ On Firefox Firefox cannot guarantee the safety of your data on x.x.x.x because it uses SSLv3, a broken security protocol Advanced info: ssl_error_no_cypher_overlap
  • 6. 6 © 2014 IBM Corporation Remediation/Fixes  IBM has released Domino server Interim Fixes that implement TLS 1.0 with TLS_FALLBACK_SCSV for HTTP to protect against the POODLE attack.  Added support for TLS 1.0: ─ Inbound and outbound connections ─ Over all protocols (HTTP, SMTP, LDAP, POP3, IMAP & DIIOP) ─ Prevents both Poodle attacks: CVE-2014-3566 and CVE-2014-8730.  Removed support: ─ SSLv2 ─ SSL renegotiation has been disabled ─ All weak (<128 bits) cipher suites have been disabled
  • 7. 7 © 2014 IBM Corporation Remediation/Fixes Domino Release Fix Pack/Interim Fix Download Links 9.0.1 Fix Pack 3 http://www-01.ibm.com/support/docview.wss?id=swg24037141 9.0.1 Fix Pack 2 Interim Fix 3 http://www.ibm.com/support/docview.wss?uid=swg21657963 9.0 Interim Fix 7 http://www.ibm.com/support/docview.wss?uid=swg21653364 8.5.3 Fix Pack 6 Interim Fix 6 http://www.ibm.com/support/docview.wss?uid=swg21663874 8.5.2 Fix Pack 4 Interim Fix 3 http://www.ibm.com/support/docview.wss?uid=swg21589583 8.5.1 Fix Pack 5 Interim Fix 3 http://www.ibm.com/support/docview.wss?uid=swg21595265
  • 8. 8 © 2014 IBM Corporation Remediation/Fixes To disable SSLv3 after applying Poodle Fix  For the latest version of Domino (8.5.3 FP6 IF6, Domino 9.0.1 FP2 IF3, or later) DISABLE_SSLV3=1  For earlier versions of Domino that have the POODLE fixes DEBUG_UNSUPPORTED_DISABLE_SSLV3=17
  • 9. 9 © 2014 IBM Corporation Internet Encryption  Public Key Cryptography also known as asymmetric cryptography  Protects internet communications from being read by un-authorized medium  Private keys, certificates, hashes and ciphers
  • 10. 10 © 2014 IBM Corporation Internet Encryption  Certificates identify who you are. In order for you certificate to be trusted, a trusted authority stamps your certificate as being trusted by it, and provides it certificate proving it was indeed that authority who stamped it.  Certificates usually have a chain of trust. (I don't know who gave you this, but one has provided a certificate of trust from someone I know, so I will trust all of these certificates.)
  • 11. 11 © 2014 IBM Corporation Internet Encryption  Public / private keys are used to encrypt conversations.  Certificates provide “hashed” data about the key it works with.  Hashes used may be SHA-2, SHA-1, or MD5  Internet encryption has standard protocols for communication – SSL and TLS  TLS is the successor to SSL, essentially a newer version of the protocol  Domino supports TLS 1.0 on Domino 8.5.x and 9.x if poodle fixes are applied  SSL/TLS starts with a “handshake” to establish the protocol version to use, and to exchange necessary information on certificates and keys.  Once two parties agree to an encrypted session, they use a “cipher” that both have in common. This provides the framework for encrypting the conversation using their keys.
  • 12. 12 © 2014 IBM Corporation Domino's implementation of encryption for web servers  Certificates are stored in a keyring  Keyring is a pair of files - .KYR file has the certificates, .STH file has the password  To create a server certificate for the keyring, Certificate Signing Requests (CSRs ) are created  CSRs are encrypted with a private key and sent to a Certificate Authority (CA)  Signed CSRs provide the Server Certificate and the Certificates of the CA that signed it.  The signed CSR is merged into the keyring. The CA root certificates and the server certificate must all be merged.  Requires the encryption of the signed CSRs matches the encryption used when it was created – the private key must match.
  • 13. 13 © 2014 IBM Corporation SHA-1 and SHA-2 Certificates  Domino 8.5.x and 9.x have used SHA-1 certificates  SHA-1 hashing is no longer recommended, CA's and browser vendors are transitioning to SHA-2  Domino 9.x servers can operate with SHA-2 certificates but with its tool for working with certificates, the Domino Server  Certificate Admin database, can not process SHA-1, SHA-2 certificates  New tool created to bypass this limitation – KYRTOOL  KYRTOOL - used in place of the Domino Server Certificate Admin database when SHA-2 certificates are used  Domino 8.5.x can only work with SHA-1 certificates – SHA-2 support is only with Domino 9.x
  • 14. 14 © 2014 IBM Corporation Why SHA-2 Certificates  Google Chrome, Opera, Firefox will begin to warn users that Domino web servers built using SHA-1 are insecure. Only SHA-2 will be considered secure.  Jan-2016: MS (and others) will stop accepting SHA-1 and SSL (predecessor to TLS) per NIST SP 800-131A. Only TLS and SHA-2 will be accepted.  Jan-2016, most 3rd party Certificate Authorities will issue only SHA-2 certs (GoDaddy,VeriSign, Comodo)
  • 15. 15 © 2014 IBM Corporation KYRTOOL  Command Line Tool  IkeyMan tool will not be required  Overcome the limitations of Certificate Admin Database in generating SHA- 1/SHA-2 certificate  Easy to use
  • 16. 16 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Prerequisites  Create a Domino keyring  Generate CSR (Certificate signing request)  Export data from the signed CSR  Import certificates using the KYRTool  Update server and test  Put keyring.kyr and keyring.sth in server's data directory  Verify server document settings  Connect to server over SSL  Troubleshooting / Debug
  • 17. 17 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Prerequisites  KYRTool ─ Download link: http://www-933.ibm.com/support/fixcentral/swg/selectFixes? parent=ibm~Lotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fi xId&fixids=KYRTool_9x_ClientServer ─ Place the KYRTool in the Notes program directory, as it relies on .DLLs installed by Notes.  OpenSSL ─ Download links for the Windows versions of OpenSSL are available at https://slproweb.com/products/Win32OpenSSL.html ─ The light version of OpenSSL is sufficient for the tasks required for creating a SHA-2 certificate. ─ OpenSSL may need updates to Windows Visual C++ libraries. ─ A configuration file "openssl.cfg" will be extracted by the installer to the bin directory. In order for OpenSSL to read this configuration file, you must set an environment variable by running the following command from a DOS prompt SET OPENSSL_CONF=openssl.cfg e.g. SET OPENSSL_CONF=c:OpenSSL-Win64binopenssl.cfg
  • 18. 18 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Create a Domino keyring  keyring.kyr and keyring.sth file will be created in the Notes data directory
  • 19. 19 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Generate CSR (Certificate signing request) ─ Create new keypair ─ Create certificate request stamped with private key from keypair
  • 20. 20 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Generate CSR (Certificate signing request) using OpenSSL ─ Create new keypair Output
  • 21. 21 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Generate CSR (Certificate signing request) using OpenSSL ─ Create certificate request stamped with private key from keypair OpenSSL> req -new -sha256 -key server.key -out server.csr
  • 22. 22 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Generate CSR (Certificate signing request) using OpenSSL ─ Create certificate request stamped with private key from keypair OpenSSL>req -new -sha256 -key server.key -out server.csr
  • 23. 23 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  To display private key (type server.key)  To display certificate request (type server.csr)
  • 24. 24 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Acquire an SSL/TLS certificate from a third party CA ─ Generally the certificate request block is copied into a web form and pick what signing algorithm you would like the CA to use ─ Signed CSRs are usually in a .crt file ─ Open .crt files with Microsoft Crypto Extensions in Windows ─ Display certification tab ─ Chain of trust is displayed
  • 25. 25 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Extracting roots ─ Select the intermediate root certificate ─ View certificat
  • 26. 26 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Extracting roots ─ Select the intermediate root certificate ─ View certificate ─ Select the “Details” tab of the certificate
  • 27. 27 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Extracting roots ─ Select the intermediate root certificate ─ View certificate ─ Select the “Details” tab of the certificate ─ Choose “Copy to File”
  • 28. 28 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Extracting roots ─ Choose “Copy to File” ─ Certificate Export Wizard will open ─ In the certificate export wizard, export to a .cer file in Base- 64 form ─ You can name exported certificate files anything you want, use the .cer or .crt extension in order to be able to view the files using the Windows tool ─ Repeat these steps to export all intermediate certificates and the root certificate to Base 64 (PEM) encoded files
  • 29. 29 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Concatenate server.key and server.pem into a single file: ─ Input PEM file is used to import private key, server certificate and root certificates. ─ Order is important → server key first, the server's cert next, the intermediate cert next, and the root cert last. ─ Concatenate the private key and the exported certificates together type server.key server.crt intermediate.crt root.crt > server.txt type server.key server.pem>c:notesdataserver.txt Output server.txt is the input file used by the kyrtool for import into Domino keyring
  • 30. 30 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Verify the Input file  kyrtool =<notes.ini path> verify <path of server.txt>
  • 31. 31 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Import certificates  kyrtool.exe =<path of notes.ini> import all -k <path of keyring.kyr> -i <path of server.txt>
  • 32. 32 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Update Server and test ─ Copy keyring to server's data directory ─ Verify keyring entry in server document is correct ─ Ports – internet ports tab of server document ─ Verify SSL is enabled ─ Restart HTTP ─ Look for errors at HTTP startup
  • 33. 33 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Verify certificate on server ─ Connect to server over a browser using https ─ Test opening a database, such as names.nsf ─ Use “view certificate” option in browser to verify certificate is in use
  • 34. 34 © 2014 IBM Corporation SHA-2 Server Certificate Using KYRTool & OpenSSL  Troubleshooting / Debug ─ Verify if there are keyring errors when HTTP starts ─ Connect from a browser running on the server Takes the network out of the picture ─ Debug_SSL_All=1 Logs all SSL/TLS connections
  • 35. 35 © 2014 IBM Corporation Reference  IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack http://www.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0  Generating a SHA-2 keyring file http://www.lotus.com/ldd/dominowiki.nsf/dx/Domino_keyring  Planned SHA-2 deliveries for IBM Domino 9.x http://www.ibm.com/support/docview.wss?uid=swg21418982  How is IBM Domino impacted by the POODLE attack? http://www.ibm.com/support/docview.wss?uid=swg21687167
  • 36. 36 | © 2014 IBM Corporation Thank you Q & A Visit our Support Technical Exchange page or our Facebook page for details on future events. To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: https://ibm.biz/BdxqB2 IBM Collaboration Solutions Support page http://www.facebook.com/IBMLotusSupport WebSphere Portal http://twitter.com/IBM_ICSSupport