Monday 15 October 2012

Coping with Windows update 2661254 SSL FIx on a self certed domino server

Well well well, that was an interesting couple of days!
Microsoft in their infinite wisdom decided to release a fix that stops Internet Explorer (a pox on it) accessing any SSL site that has a <=512bit certificate.

Here is a link to the MS document

Now there are very good, sound and security related reasons for MS to do this but it did cause me some fretting and sleepless nights this week, i have no doubt once the fuss dies down you will see Firefox, Opera, Safari and the rest follow suit.

We protect a lot of our internally accessed data with self certed SSL certificates and these where created back in the days when 512 bytes was more than ample and secure for this purpose. These certs were renewed each year and over time have been forgotten about.

The symptoms of the problem post this fix being applied are:-

When IE <=8 tried to connect you get a "there is a problem with the web site" error and you can go no further, with IE >=9 you get the "There is a problem with the certificate" message but clicking on the "Proceed to the web site (not recommended)" does nothing.

Now on a i5 server (used to be the iSeries Server or AS400 and nicknamed iBoxes) renewing a self certed SSL server certificate is dead easy and you get the option to change the bit length so for our iBoxes it was dead easy. Admin Panel, renew certificate, change bit length, create, apply , restart server .. and the problem went away.

But Domino servers ... ahhhh ....

I went into the Certificate authority NSF created for the server, tried to create a new certificate, not a problem but no field to let me change the key length.. ARRRRRRGGHHHHHHH!!! Tried a whole lot of things to get a 1024 long key, with no great success. So my quickr users on the one server with the problem had to start using another browser whilst I sorted this problem out.

As it turns out Per Lausten Domino Guru and all around nice chap tweeted a link that lead me to the solution ...many thanks Per!!! Once again Social Networking helps the poor benighted admin out of a tight corner not really of his own making.

Basically what I did was the following which I was missing in the other ways I tried
The full details for what follows are on the link above, but in summary you just start from scratch.

01. I took a copy of the original Cert Authority NSF created for the server
02. I took a copy of the .key and .sth files currently in use on the server
03. I created a new nsf using the Domino Certificate Authority template CCA50.ntf
04. I created a new CERTIFICATE AUTHORITY KEY RING FILE with a 1024 bit key (option 1)
05. I ran the Configure Certificate Authority Profile (option 2) for the new key ring file
06. Set the expiry to 5 years
07. I ran option 3 - Create Server Key Ring & Certificate, filled in the guff required paying special attention to put CAKeyPair in as  the CA Certificate Label and the fully qualified domain name of the server as the "Common Name" and 1024 as the key length.

Et Voila!!! I have a new Keyfile.kyr and KeyFile.sth with 1024bit keys!

All that was left was to copy these to the server and stop and start the HTTP task and IE started to work again, which was accompanied by a massive sigh of relief and a couple of memo's suggesting we might as well go the whole hog and get "real" certificates even thought they cost money.

Thanks again Per for the link that got this sorted you are a star!

No comments:

Disqus for Domi-No-Yes-Maybe