IBM Connections Files plugin not working within Notes when TLSv1.2 is enforced

After enforcing TLSv1.2 on our internal Connections 5.5 servers the Files plugin would not work.

In the IHS logs I would see errors such as

[warn] [client 80.229.222.90] [7f9a700a7060] [21173] SSL0222W: SSL Handshake Failed, No ciphers specified (no shared ciphers or no shared protocols). [xx.xx.xx.xx:62899 -> xxx.xxx.xxx.xxx:443] [09:45:11.000102454] 0ms

Enabling trace on IHS showed that the protocol being used was TLSv1.0 which matched Wireshark output. Oddly Status Updates and Activities plugins use TLSv1.2.

“GET /files/basic/api/library/4a7a7240-8f68-44d8-9447-7410cc2bb467/feed?pageSize=300&acls=true&sI=601 HTTP/1.1” 200 168770 TLS_RSA_WITH_AES_128_CBC_SHA TLSV1

I then had to allow TLSv1.0 until I could get an explanation from IBM.

Finally IBM came back with the following two lines to be added to the notes.ini.

SSL_DISABLE_TLS_10
DISABLE_SSLV3=1

Now in access_log I see TLSv1.2 being used.

“GET /files/basic/api/library/4a7a7240-8f68-44d8-9447-7410cc2bb467/feed?pageSize=300&acls=true&sI=601 HTTP/1.1” 200 168770 TLS_RSA_WITH_AES_128_GCM_SHA256 TLSV1.2

IBM also suggested that I check the following was set in plugin_customization.ini, which it was.

com.ibm.documents.connector.service/ENABLE_SSL=true

The notes.ini values have been pushed out to my colleagues via Domino policies.

Advertisements

IBM Sametime unsigned WebPlayer plugin in Firefox

In Firefox 43 and above it will not allow you to install unsigned plugins. The effect this has on the WebPlayer plugin is as per the screen shot. A customer made me aware so I tested it with other Sametime deployments I support and the same error was seen.

1

The error “the add-on download from this site could not be installed because it appears to be corrupt” is not terribly informative. After a couple of hours digging I found https://support.mozilla.org/en-US/kb/add-on-signing-in-firefox?as=u&utm_source=inproduct which told me to make changes to the configuration of Firefox. Hardly something that could be done en mass.

Type about:config into the URL bar in Firefox
In the Search box type xpinstall.signatures.required
Double-click the preference, or right-click and selected “Toggle”, to set it to false.

I raised a PMR and initially I was given the same workaround above or to use the desktop installer which is not available to users in STProxy or a Meeting room. Neither was a viable option.

IBM got in touch again and provided me with with a development hotfix, SMOL-A7UFVE. This involved replacing STWebPlayer.xpi and STWebPlayerMac.xpi for both the Sametime Proxy and Meeting servers.

I also needed to ensure that I was on a specific version, 9,0,0,1523.

# cat /opt/IBM/WebSphere/AppServer/profiles/****STPPNProfile1/installedApps/****SSCCell/SametimeProxy.ear/stwebav.war/VersionInfo.properties
# *****************************************************************
#
# Licensed Materials – Property of IBM
#
# L-MCOS-96LPYH
#
# Copyright IBM Corp. 2015  All Rights Reserved.
#
# US Government Users Restricted Rights – Use, duplication or
# disclosure restricted by GSA ADP Schedule Contract with
# IBM Corp.
#
# *****************************************************************

WebPlayer=9,0,0,1523
Softphone=9.0.0.1869

# cat /opt/IBM/WebSphere/AppServer/profiles/****STPPNProfile1/installedApps/****SSCCell/SametimeProxy.ear/stwebav.war/VersionInfo.txt
WebPlayer Version = 9,0,0,1523
Plugin Version = 9.0.0.1869

L3 also informed me that I needed to update stproxyconfig.xml to mirror the version which I was able to do from the SSC.

/opt/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/config/cells/****SSCCell/nodes/****STPNode1/servers/STProxyServer/stproxyconfig.xml

<webaudiovideo>
<playerver>9,0,0,1523</playerver>
<softphonepluginver>9.0.0.1869</softphonepluginver>
</webaudiovideo>

I found that it worked without needing to do the above to stproxyconfig.xml.

With the hotfix I was able to get the plugin working for a number of environments. If you are not running the latest version of Sametime Proxy and Meetings then you may need to upgrade to the latest from Fix Central but you should seek guidance from IBM.

In IBM’s hosted deployment of Meetings the plugin cannot be installed via a web browser extension/add-on, you can only install it via the desktop installer. Like IBM’s hosted environment I envisage that in 9.0.1 the plugin will only be available via a desktop installer. I hope that IBM are looking at alternatives to the plugin that work in Chrome too after it dropped support for NPAPI plugins. I would love to see WebRTC being used to replace a plugin or client. I understand that this would have it’s challenges but it’s already being done with Liberty Profile and Dialogic media server and may help differentiate Sametime from Skype and other AV solutions.