As I went to bed last night I set the alarm early, I have a lot to do this week especially since I’ll be at Icon UK for 2 days of it and I wanted to get started early. So of course today was the day my work went out of the window and I lost 10 hrs debugging one of my own servers. Let’s back up…
This weekend I was prepping my presentations for Icon UK this Thursday. One is called “Domino In The Back, Party In The Front” so I’m going to be talking about all the client options available to you using Domino as a back end.
On Sunday I had the idea of installing IMSMO (IBM Mail Services For Microsoft Outlook) on one of my lab machines. I had a customer wanting to deploy and I wanted to try and mirror their setup, plus it meant I’d have something to demo from. The lab server was already running 9.0.1 FP6 with a SHA2 SSL certificate delivering TLS1.2. I hadn’t used any web services on it in a couple of weeks so I went ahead and added IF3 (required by IMSMO) and installed the application addin service. It actually installs as a variant of Traveler (and I’ll be blogging on that later). I completed the install and Outlook worked fine. Unfortunately it was the only HTTPS service that worked. Everything failed. By failed I mean the browser – any browser – refused to connect.
So off I went to investigate why the browsers wouldn’t connect. I started with testing via SSLLabs and that reported AN F as apparently the server was demanding SSLv3 instead of TLS 1.2 Of course just about every browser will refuse to accept a negotiation of SSLV3. But why was the server suddenly demanding it when it had never done so before?
Well 10 hrs later I’d exhausted everything I could think of:
- verified notes.ini had no additional unexpected settings
- forced Disable_SSLV3=1 even though that server had been fine serving TLS 1.2 previously
- disabled internet site documents and reproduced using web configuration
- recreated the internet site and web rule documents
- generated a new keyfile from my wildcard certificates
- uninstalled IF3
- uninstalled IMSMO including all the cleanup
- scanned for anything that could be hijacking HTTPS
- restarted and restarted and restarted http and clear cache upon cache upon cache
- bothered Darren Duke for a sanity check – I believe the words “I don’t know what the hell is going on” came up
- uninstalled Domino (around hour 8) because I couldn’t spend any more time troubleshooting
After uninstalling Domino. Reinstalling up to FP6, copying in the databases and templates and restarting. I was back with TLS 1.2 again and suddenly SSLLabs was giving me an A+.
Of course then I did what I should have done in the first place (saving time is never a time saver), I built a new lab server purely for IMSMO. Installed FP6 and IF3 and the addin and everything worked perfectly including TLS1.2.
I have no idea what part of the IMSMO install , the addin or IF3, conflicted with my existing lab server configuration or what it did to force the server to only serve SSLV3 no matter how I tried to push it otherwise – but an uninstall and clean install ended up being my only fix in the time I had. Someone somewhere knows the setting that made it do that. I’d love to know what.
Now it’s 4.15am and I’m back where I thought I was at 11pm Sunday night. The 4 days work I had to fit in 2 days , I have to fit in 1 day. This week’s lesson. Never start something new when you barely have time to get the existing things completed.
See you at Icon UK