I need a Notes Replicator that will support TLS for my stand-alone Notes client.


      Since 2001 I've been using Lotus Notes client software R5.0.12 stand-alone to manage my internet access and data bases with no issues.  I run using the "Notes with Internet Access" mode and have not problems since working with IBM back in 2004 on PMR51333,1LD to add authentification mods. My Customer Id # is still #xxxxxxx,  Gmail is now my primary ISP and my email address now is xxxxxx@gmail.com  alt. Xxxxxxx@comcast.net.

      Until July 28 I've been able to read my email with my Lotus Notes client using Pop3 or IMAP protocol.  Sometime after 07/28/2015 I've been receiving a "Bad Peer Certificate" errors when attempting to download my emails whether by IMAP or Pop from Gmail.  I still can SEND email with SMTP because Gmail's SMTP server still has a port that supports SSLv3 but I can not pull my Gmail emails into my PC any more.

      What has happened is Google/Gmail has "turned off"  the SSLv3 protocol for its Pop and IMAP servers shortly after 07/28/2015, apparently due to the security worries raised by "Padding Oracle On Downgraded Legacy Encryption (POODLE) concerns (RFC7568).  And that is likely why I'm seeing  these certificate errors now.  I understand SSLv3 is being phased out and replaced with TLS.

      One fix would be for Gmail to provide fall-back ports on their  IMAP and PoP servers  that still support SSLv3, and I've suggested this in the help forum  at https://productforums.google.com/forum/?utm_medium=email&utm_source=footer#!msg/gmail/LtD8sfbazQs/CTA-ucPPmvQJ, but I'm coming to the conclusion that Google/Gmail is unlikely to do this.

      A work around would be to forward incoming emails from Gmail to an alternate ISP (Comcast)  which I can still read from.  But this is cludgey and has separate issues of its own including whether Comcast will eventually abandon SSLv3 as well.

      What I really need then to do is install an updated Lotus Notes Replicator module that will support the TLS protocols; TLS1.0[RFC2246], TLS1.1[RFC4346} and/or TLS1.2[RFC5246] in addition to the SSL ones.  I'm hoping there is a Replicator that does this modular enough to link/plug into my R5.0.12 Lotus Notes client.  If not I do have the installation disks for Lotus Notes client 6.5.1 if that release could be used, otherwise I'd have to acquire a new release but one that would have to work under Windows XP Professional SP 3 on my IBM 350 PC which has no PAE/SSE2 expanded instructions, 133MHz clock, 144MB expanded memory and 88GB hard drive (a "Hot Rodded Model T").  And of course I'd want it to be able to access my R5.0.12 NSF databases.

      Any feedback as to a way to proceed would be appreciated.  PMR #01186,082 was entered to formally document this problem.


Richard Cox
Richard Nelson CoxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Everything changes in technology at a much faster pace than the real world. What you are trying to do is patch an vintage car to use unleaded gasoline since you can't get leaded gasoline any more without rebuilding the engine due to the changes needed to run on unleaded without causing undue wear on the engine.

You do realize that your pentium 133 is something that should be in a museum and even a netbook would be faster and you would save more than the price in your electricity bill
Richard Nelson CoxAuthor Commented:
Classical definition of hardware: the more you use it the more likely it is to fail (cuz parts wear out).
Classical definition of software:   the more you you use it the more likely it is to work (cuz bugs get worked out).

I'm an old mainframer of 62, former NASA contractor, and I know mainframe shops still have software running written back in the 1960s.  Whether a Model T, T-Bird or Beamer, all those vehicles need gas to run.  

This comment does not tell me if I can get a Notes replicator that supports TLS for my Notes client.
David Johnson, CD, MVPOwnerCommented:
The current version of IBM Notes is version 9 time to update
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Sjef BosmanGroupware ConsultantCommented:
Indeed. Best go for the latest versions, e.g. IBM Notes 9.0.1 FP3 IF3. See http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2
Richard Nelson CoxAuthor Commented:
Yes, you are right it may be time to upgrade my Lotus clinet.  Does anyone know if Lotus 9.0.1 will still work with Windows XP?

I will take a look at that TLS 1.2 link.  CONTRARIWISE however I've another idea taken from an internet  discussion about SSLv3:

"Disabling SSL 3.0 entirely right away may not be practical if it is needed occasionally to
work with legacy systems. Also, similar protocol version downgrades are still a concern
with newer protocol versions (although not nearly as severe as with SSL 3.0). The
TLS_FALLBACK_SCSV mechanism from [draftietftlsdowngradescsv00]
addresses the broader issue across protocol versions versions, and we consider it crucial especially for
systems that maintain SSL 3.0 compatibility. The following recommendations summarize

"TLS clients that use a downgrade dance to improve interoperability (N.B. Google/Gmail does) should include the
value 0x56, 0x00 (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites in any fallback
handshakes. This value serves as a signal allowing updated servers to reject the
connection in case of a downgrade attack. Clients should always fall back to the next
lower version (if starting at TLS 1.2, try TLS 1.1 next, then TLS 1.0, then SSL 3.0) because
skipping a protocol version forgoes its better security. (With TLS_FALLBACK_SCSV,
skipping a version also could entirely prevent a successful handshake if it happens to be
the version that should be used with the server in question.)

"In TLS servers, whenever an incoming connection includes 0x56, 0x00
(TLS_FALLBACK_SCSV) in ClientHello.cipher_suites, compare ClientHello.client_version
to the highest protocol version supported by the server. If the server supports a version
higher than the one indicated by the client, reject the connection with a fatal alert
(preferably, inappropriate_fallback(86) from [draftietftlsdowngradescsv00]).

"This use of TLS_FALLBACK_SCSV will ensure that SSL 3.0 is used only when a legacy
implementation is involved: attackers can no longer force a protocol downgrade. (Attacks
remain possible if both parties allow SSL 3.0 but one of them is not updated to support
TLS_FALLBACK_SCSV, provided that the client implements a downgrade dance down to
SSL 3.0.)"

So I'm speculating that a client connect request specifying 0x56,0x01 (turning "on" the TLS_FALLBACK_SCSV flag?) should allow the server being connected to negotiate down to SSLV3.  I'm starting to look at the notes.ini file to see if there is a place there to effect this.  If so and it works I'd have no connection problems with my present Notes client.

Does anyone know where in Notes to specify the TLS-FALLBACK_SCSV flag value for a connect request?  If as I suspect it is in the notes.ini file, does anyone have an example of the setting to use?
Sjef BosmanGroupware ConsultantCommented:
I can confirm that Notes R9.0.1 works on Windows XP. Whether it supports the fallback-option I don't know.
Richard Nelson CoxAuthor Commented:
Thanks for the msg about Notes R9.0.1 working on XP, that may be the way I'll have to go.

Been looking at the notes.ini file on my R5.0.12 system but I do not see anything there that might be control information to send along with a connect request.  Logically it's parameterized SOMEWHERE. even if hard coded in the connect logic.

If anyone has any leads it would be handy to know, such a parm could let me set the TLS_FALLBACK_SCSV flag to indicate SSLv3 allowed in negotiations.
a better solution might be running a local proxy that supports IMAP and TLS and interpose that between your Notes client and Google IMAP. I do not think version 9 will run very nice on your machine.
Severl people have had great succes using nginx to provide TLS for a Domino server, running as a reverse proxy. I suspect it is also capable of providing you with a TLS connection running as a proxy.  It's small, open source, and performant. IMAP proxying is listed as one of it's features.  Just needs configuring. see http://nginx.org/
Sjef BosmanGroupware ConsultantCommented:
That requires a Linux server. I suppose it would then be easier to install the Windows fetchmail version. Not sure if fetchmail can deliver to a Notes client in any way. Domino with fetchmail works flawlessly.
@Sjef: not true.
See http://nginx.org/en/download.html
Windows version listed.
Richard Nelson CoxAuthor Commented:
The proxy idea is another good one, thanks, will look at it.

Generally I've stayed away from automatic upgrading if I do not need it, new releases tend to be much more cpu intensive delivering lots more "bells and whistles" with "fluffy" graphics or extraneous features that I really do not need, and often can be "buggy", especially new releases that depend on new system features.

Why my system has performed as well as it has so far is I try to run it "bare bones" with as little background "service" tasking as possible.  Windows 10 I'm sure is full of these backgound tasks eating up performance.

Probably I'm a bit cynical about new software performance these days after working on the Goddard Real Time System which was optimized to the hilt.  GRTS provided real-time launch and mission support during the Apollo and Space Shuttle eras on two 360/75s.  With multitasking serially reusable applications primarily in Fortran over a reentrant-reusable kernel in assembly driving four independent 2250 work stations the GRTS could support up to 64 targets in space at the same time.  Data was kept in dynamically defined files ("strings") which could be in memory or DASD, apllications ran as "Serial Program Structures" triggered by event routing.  Before leaving I tried to incorporate the ideas into a "Common Product Services Reusable Software Interface" (see files linked to my online profile at http://www.linkedin.com/pub/11/75/829,  specific examples of past work) to NASA and wrote their first network services package using a product SNS/API of Interlink Computer Sciences.  Worked real well, requests could be made asynchronously and synchronous exits would be scheduled when a request completed.

In the early 90s I pushed for using mainframes as the workhorses at the  center of a distributed processing system, nodes spread over a TCP-IP network with applications triggered by event routing on whatever nodes they were defined to run on similarly to how they were triggered as subtasks in the GRTS, treating a network as one "giant multitasking mainframe".  Which is what I guess the "cloud" concept is these days.
Sjef BosmanGroupware ConsultantCommented:
Nevertheless, you do have XP instead of Win98SE... ;-) And I am glad that my PC is a lot more powerful than the 360 you (and I, at university) used at the time. Good times, paradise, no computer viruses, no threats, nothing "social"... I'm coming from a background that's: small is beautiful, PDP11/xx, Unix, 64K bytes, optimised, many small applications working together... It evolved into master/slave, then client/server, but I try to stay away from the cloud: too misty for me.

@Lars, thanks, I stand corrected, though I'd really like to see if nginx is capable of handling this case, i.e. TLS to SSLv3 proxy for a Notes client.
Yup. The expression 'the exercise is left for the student' comes to mind. I.e. probably still a bit of work to make it work. Happy to help out of course.
Richard Nelson CoxAuthor Commented:
Hey, I stayed at 98SE quite awhile too, went to XP primarily to get the better external device interfaces (CD, DVD, etc.) just after 98SE became obsolete, figuring by then the bugs had pretty much been worked out and the system was stable :-).  It's why I'm not all hot to run the "latest and greatest", preferring to let the masses get it stable.

These days though a lot of improvements tend to be more cosmetic than necessary, "agent" software running in the background that watches what you do and tries to guess what you want to buy, etc.  That's cpu wasteful with overhead and  kind of uncomfortable to me in a "Big Brother" sort of way.  I don't like anything running I have not started myself, especially if I do not understand the purpose.

My mentor went into computers when only electrical engineers did (AF pilot in WWII, worked on the ENIAC) and taught me to look at problems from the machine end up rather than the code end down.  He always told me to get the alc expansions whenever I ran compiles and to focus on "what the machine is seeing" when addressing problems.  This often times gave me input to the how a problem occurred, after which I could look at the code to determine why it occurred.  So adept he could "hand disassemble" from storage dumps without using reference material, his favorite phrase was "nothing is sacred to the machine", meaning for the machine to execute it at some point all ciphers, encryptions and other such protection had to be decoded.
Sjef BosmanGroupware ConsultantCommented:
Hehe, I still have some Win98SE virtual PCs that I sometimes use, with... Notes R5 and R6 installations on them. I used to have some clients refusing to upgrade their Notes/Domino environment (sounds familiar?), so I had to keep the oldies running. I agree with you that the early Notes releases usually are quite buggy. R8.0 was a notoriously unreliable example, even R8.0.1 wasn't all that. The Rn.0.2 and higher releases tend to be good. R9.0.1 seems to be a very good release, stable, and rich in functionality.

If you don't need that functionality, and your current Notes version is all you need, stick with it, and see if nginx can help you out. On the other hand, html/mime email are much better understood by newer Notes versions. If you upgrade, you probably have to buy a new licence.

Good luck with your quest!
So, how is progress?
Richard Nelson CoxAuthor Commented:
Greetings All,

I'm employing a "work-around" that saves me from having to make any software upgrades.  Eventually when I decide to upgrade the hardware I'll  likely upgrade to Notes client 9.x, but the work-around is as follows:

1) Open an account with an alternate ISP (Comcast in my case), verify their POP server supports traditional TCPIP port 110 for incoming emails (no SSL).

2) Configure Gmail to forward (then delete) incoming emails to the alternate account.

3) Read the emails from the alternate ISP account into Notes R5.0.12.

This works with no software upgrades needed.  Note that emails may still be sent using Gmail's SMTP server via their SSL port 465.  So to the outside world it looks like you are still using your Gmail address for sends and receives.

Gmail needs to activate their POP server's port 110.  Alternately it would be nice to know if there was a way in the R 5.0.12 client to indicate negotiation allowed or encryption disabled for receive connects.  Maybe a parm in the EHLO command?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sjef BosmanGroupware ConsultantCommented:
Seems like a viable solution. Excellent.

By the way, you could route outgoing mail through Comcast as well, and still use your gmail account as sender's. It can be configured in your Location document, under Internet mail address. Ah, that's the R9 name, but I suppose it's similar in R5.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet / Email Software

From novice to tech pro — start learning today.