Now that Verse On-Premises 1.0 is out, I was taking a look at the integration with Connections Files. I've run into an issue with that that I'm still looking at, but as part of the diagnosis, I went back to look at the Connections Files integration with iNotes to try and get some better logging. During that inspection, I came across a different issue after we've upgraded our Connections instance to 5.5 and narrowed the TLS settings.
The issue in iNotes was that the client was failing wth a SSL handshake error in the iNotes console (nice to have that in iNotes). Further review in the IHS log on the Connections side indicated a cipher mismatch.
First off, on the Domino side I enabled SSL_DEBUG_ALL=1 to get more information and the interesting thing is that Domino as the client was attempting to connect using the ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher. On Domino this is the top cipher used when TLS 1.2 is enabled. However, this cipher isn't enabled by default in IHS according to the docs, so I updated the httpd.conf to add the additional ciphers for TLS 1.2 and all TLS versions.
# SSL Cipher settings
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256
After making that change and restarting HTTP, I still saw the handshake errors. Going back into the httpd.conf, I changed the settings from only supporting TLSv12 to all TLS versions:
SSLProtocolDisable SSLv3 SSLv2
Saving and restarting HTTP, this got Connections Files with iNotes working.
Unfortunately, that didn't get the Connections Files with VOP working, so I'm back to looking at that. More to come...
comments powered by Disqus