IBM Connections News
  • Home
Top News
JUMP (OpenMic) Session: Deploying, Securing, Customizing and Extending...
JUMP (OpenMic) Session: Let’s talk about IBM Connections...
ICS Community Meeting – Connections Adoption
12 steps to success with IBM Connections
IBM Connections 6.0 at a Glance
Docusign announced enhanced partnership with IBM, including new...
IBM announces collaboration solutions with Cisco
MWLUG 2017 Registration & Abstract Submission now open!
Upcoming Open Mic: What Is New and What...
IBM Connections Cloud: Rakinโ€™ in the ๐Ÿ’™s
  • Home

IBM Connections News

Unofficial commentary by Stuart McIntyre

Latest Posts

    3.0.14.04.55.0IBM ConnectionsTechnical Info

    POODLE bug hits IBM Connections hard

    written by Sjaak Ursinus
    Poodle vulnerability

    Last Monday there is again found a big hole in the SSL Version 3 (SSLv3) technology. We call this bug POODLE which stands for Padding Oracle On Downgraded Legacy Encryption. So with this bug found and you as admin for your IBM Connections your first reaction would be lets disable SSLV3 on my front end web server (which is generally in an IBM Connections environment the IBM HTTP Server). Well when you do this you will be surprised by the outcome. You will discover that your environment doesn’t work anymore. I will try to explain here in short what happens.

    IBM Connections has an HTTP Client embedded in the applications. This client is based on the open source Apache Commons HTTP Client. This client is only used for creating HTTP traffic and basically has nothing to do with SSL/TLS itself. The IBMJSSE2 library (which is part of websphere itself) is the library used for creating the SSL/TLS encryption layer for the HTTP data. So what basically happens is that the Apache Commons HTTP Client is used to create an http message and that that message is given to the IBMJSSE2 libary to encrypt it and send it (it is a bit more complicated than this but to make it understandable you can use this as a reference).

    Within IBM Connections it seems that currently the Apache Commons HTTP Client is configured so that it tells the IBMJSSE2 library to only use SSLv3 where the IBMJSSE2 library is perfectly suited to use higher levels of encryption like TLSv1 and higher, this depends on the version of this library used which is delivered with websphere, so it basically means it depends on which version of websphere you run what types of TLS versions are supported. As you can understand that if you have just disabled SSLv3 on your front end server you will run into an problem now. When one of the IBM Connections applications needs to access one of the other apps via the web front end it will try to do that with SSLv3 which you have disabled on your front end server. So it can’t make a connection and voila your environment is dead ๐Ÿ™‚

    One of the solution which can be used to downscale the bug in your environment is as follows. We just have seen that disabling SSLv3 isn’t an option where IBM communicates otherwise. We can add some lines to the HTTP config file to check who is trying to build an SSLv3 connection to the webserver and if we identify that the source is our IBM Connections environment we allow it and otherwise we redirect it to a SSLv3 isn’t allowed sorry page on your environment.

    What you can do is add these lines to your config

    RewriteEngine on
    RewriteCond %{ENV:SSL_PROTOCOL_VERSION} SSLV(.*)
    RewriteCond %{REMOTE_HOST} !<your_ip_address_of _websphere_server>
    RewriteCond %{REQUEST_URI} !errorpages/(.*)
    RewriteRule ^/(.*)$ https://<FQHN>/errorpages/ssl_errorpage.html [R,L,NE]

    What this basically does it test the incoming connection on if it is a SSLV1/SSLV2/SSLV3 connection and if it is then it test if the incoming connection is coming from websphere, if so then it will allow the traffic, if not comming from websphere you will be redirected to an self created error page where you can describe that you don’t allow SSL anymore but only TLS.

    It is really a workaround and I don’t say it is the best solution but it is at least more than nothing. I really hope IBM comes with a fix fast ! With this implemented you can at least be sure that sensitive information isn’t being sent over SSL.

    Update 18-Nov-2014
    As Luis commented on this article. IBM has delivered an fix today for the POODLE bug for IBM Connections from version 3.0.1 trough version 5. Here is the link to the TechNote document

    POODLE bug hits IBM Connections hard was last modified: April 7th, 2017 by Sjaak Ursinus
    October 18, 2014 0 comment
    0 Facebook Twitter Google + Pinterest
  • IBM ConnectionsSecurityTechnical Info

    Big news for security in IBM Connections

    by Sjaak Ursinus September 29, 2014

    IBM Connections has a strong representation in the market of collaboration.

    0 Facebook Twitter Google + Pinterest
  • Mobile

    IBM Connections Mobile app for android

    by Sjaak Ursinus September 17, 2014

    One of the best parts of IBM Connections is the fabulous mobile application for android and iOS.

    0 Facebook Twitter Google + Pinterest
  • Analysis

    Using IBM Connections? Please complete this research survey!

    by Stuart McIntyre September 17, 2014

    My good friend and esteemed analyst and author, Michael Sampson, is asking for feedback on your usage of IBM Connections.

    0 Facebook Twitter Google + Pinterest
  • PresentationsSocial Connections

    My Social Connections VI session: ‘Social Business: The unstoppable force to overcome immovable objections’

    by Stuart McIntyre August 18, 2014

    As you may have heard by now, we took the significant step of recording every single session at Social Connections VI back in June. As the videos have been processed and uploaded, the team have been publishing them on our Vimeo channel as well as highlighting some of the most popular sessions on the Social Connections blog – it’s worth checking them out if you haven’t already.

    0 Facebook Twitter Google + Pinterest
  • 5.0AnalysisIBM ConnectionsIBM Connections Cloud

    Ovum Research publishes ‘SWOT Assessment: IBM Connections Version 5.0 and IBM SmartCloud Connections’

    by Stuart McIntyre August 14, 2014

    Ovum have just published a new paper, entitled ‘SWOT Assessment: IBM Connections Version 5.0 and IBM SmartCloud Connections’. In it they analyse IBM’s solutions in the Social Business area – Connections and SmartCloud Connections

    0 Facebook Twitter Google + Pinterest
  • 4.5Fixes & UpdatesIBM Connections

    IBM Connections 4.5 CR5 is now available

    by Stuart McIntyre August 5, 2014

    The latest CR for IBM Connections 4.5 has just been released…

    0 Facebook Twitter Google + Pinterest
  • 5.0BlogsIBM ConnectionsPartners & ISVs

    Experiences with IBM Connections 5

    by Stuart McIntyre August 4, 2014

    I just wanted to quickly recommend a couple of posts from Julius Schwarzweller at German IBM business partner, GIS AG.

    0 Facebook Twitter Google + Pinterest
  • 3.0.14.04.55.0Fixes & Updates

    Apache Struts security issues โ€ time to patch your IBM Connections install

    by Stuart McIntyre August 4, 2014

    I’ve just come across an IBM technote from May 2014 that has been updated over the last few days, listing details of a number of vulnerabilities in Apache Struts

    0 Facebook Twitter Google + Pinterest
  • 4.5IBM ConnectionsPartners & ISVs

    Ephox EditLive! for IBM Connections updated

    by Stuart McIntyre July 22, 2014

    The powerful enhanced rich text editor for IBM Connections, Ephox EditLive, has just been updated to version 2.5.2.45 and is available from IBM FixCentral

    0 Facebook Twitter Google + Pinterest
  • ExtensionsIBM Connections

    IBM Connections QuickSearch for Chrome updated

    by Stuart McIntyre July 21, 2014

    I first blogged about the IBM Connections QuickSearch plugin for Google Chrome three weeks ago. Back then it was at version 1.8.

    Remarkably since then the author, Romain Lienard, has released four updated versions.

    0 Facebook Twitter Google + Pinterest
  • 1
  • 2
  • 3
  • 4
  • 5
  • …
  • 15

Recent Posts

  • JUMP (OpenMic) Session: Deploying, Securing, Customizing and Extending the IBM Connections Mobile App
  • JUMP (OpenMic) Session: Let’s talk about IBM Connections Next Deployment – The Easy Button
  • ICS Community Meeting – Connections Adoption
  • 12 steps to success with IBM Connections
  • IBM Connections 6.0 at a Glance

Recommended

Tweets

  • IBM Collaboration at Think 2019 https://t.co/QoECJoLQgn https://t.co/1wPtTjkwRy

    06-Mar-2019

    Reply Retweet Favorite
  • Everything you need to know about Domino Query Language https://t.co/Fci0vEcJor

    22-Feb-2019

    Reply Retweet Favorite
  • New IBM Connections updates are available! CR4, Mobile 6.1.3, Component Pack 6.0.0.7 https://t.co/HHKVrJYOvY https://t.co/yIMNABqzWf

    06-Feb-2019

    Reply Retweet Favorite
  • Domino Query Language FAQ https://t.co/PO4mlzBqOi

    05-Feb-2019

    Reply Retweet Favorite
  • Weโ€™re Launching Domino Tech School https://t.co/TFZjI5qJ4L

    08-Jan-2019

    Reply Retweet Favorite

Popular Posts

  • IBM announces collaboration solutions with Cisco

    April 25, 2017
  • Docusign announced enhanced partnership with IBM, including new eSignature integrations

    May 5, 2017
  • IBM Connections 6.0 at a Glance

    May 5, 2017
  • 12 steps to success with IBM Connections

    May 5, 2017
  • JUMP (OpenMic) Session: Deploying, Securing, Customizing and Extending the IBM Connections Mobile App

    May 22, 2017

Archives

Categories

  • Analysis
  • Announcements
  • Blogs
  • Competition
  • Connections Platforms
    • Lotus Greenhouse
    • Paxos (for partners)
  • Demos
  • Documentation
  • Events
    • Collaboration University
    • Connectr
    • Enterprise 2.0
    • IBM Connect
    • Lotusphere
    • MWLUG
    • NLLUG/BLUG/Engage
    • Social Connections
    • Training & Enablement
    • Webcasts
  • Extensions
  • Fixes & Updates
  • IBM Connections
    • 1.0
    • 2.5
    • 3.0
    • 3.0.1
    • 4.0
    • 4.5
    • 5.0
    • 6.0
    • Pink
  • IBM Connections Cloud
    • Lotuslive
  • Integrations
    • Cisco
    • IBM Notes & Domino
    • IBM Sametime
    • Lotus Quickr
    • Microsoft Sharepoint
  • Mobile
  • News Coverage
  • Partners & ISVs
  • Podcast
  • Presentations
  • Quotes
  • Security
  • Site News
  • Social Media
  • Technical Info
  • Uncategorized
  • Video

Tags

1.0 2.5 4.0 4.5 5.0 6.0 analysis android announcement blackberry connections connections pink connectr cumulative refresh documentation domino fixes greenhouse ibm ibmcnx ibm connections ibm connections cloud innovation integration lotus connections lotuslive lotusphere lotus quickr lotus sametime mobile news notes partners podcast presentation quote reviewers guide social connections taking notes training user adoption user groups video vulnerability webcast
  • Facebook
  • Twitter
  • Linkedin
  • Email
  • RSS

@2017 - Stuart McIntyre. All Rights Reserved.


Back To Top