« Back to home

The other end of the POODLE

I’ve written about how to front-end your Domino servers with Apache to provide TLS up to TLS 1.2 and block SSLv3. But what about the other side of the problem? You might not be able to upgrade your Java runtime easily, particularly if you’re using IBM XPages. Well, fortunately life is easier on the consumer side of Web Services. There are some system properties which let you enable TLS on earlier Java runtimes where it’s disabled by default.…

Read more »

Playing Domino without a POODLE

If you run any kind of Internet server, you’ve hopefully heard about the POODLE vulnerability in SSL 3. If you run a Domino server, you need to worry about this, because Firefox plan to turn off SSLv3 support in their next release in a couple of weeks and remove the code in the release after that — and Chrome will follow soon after. SSLv3 is the only secure connection supported in Domino out of the box, so that could leave you with no HTTPS support.…

Read more »

Learning from Apple's goto fail

I’ve seen multiple posts drawing lessons from [Apple’s goto fail](). However, they’ve all focused on one or two issues that led to the error. I think there were a good half a dozen problems that led to the error, so here’s my summary. Problem 1: Braces The first problem, and the one most people pick up on, is the use of statements outside of code blocks in control flow statements.…

Read more »

Java SSL/HTTPS via JSSE: Write once, run everywhere?

A common Java problem is to connect to an authenticated Web Service via HTTPS. Doing so while preserving portability can be tricky. There are a lot of helpful tutorials out on the web that say to do something like this: Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol"); final MyAuthenticator auth = new MyAuthenticator(username, password); Authenticator.setDefault(auth); try { final URL url = new URL(httpsurl); try { final HttpURLConnection urlc = (HttpURLConnection) url.openConnection(); try { // Rest of code However, if you try to deploy the code on a system using IBM’s JVM, you’ll get a rude surprise:…

Read more »

Looking for debug information in all the wrong places

Today I took some Java code which I had been running on my laptop, and tried to deploy it to the server where it belongs. The code in question is a command-line utility designed to be run from cron. It connects to a Domino server via Web Services, connects to a DB2 server via JDBC, and then pumps data between the two via a protocol designed to try to minimize the number of updates that need to be transferred.…

Read more »

Domino server and Java client, SSL with self-signed certificate

Here’s the problem scenario: You have a Java client program, and you want it to connect to a Domino server using HTTPS. Java fails at runtime with javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target This is happening because you have a self-signed SSL certificate on the server, which Java refuses to accept. You’ve found out that you can import a self-signed SSL cert into Java’s runtime environment using keytool, but Domino uses an obscure proprietary keyring format .…

Read more »