Domino V11 TLS Cipher Configuration

More on HCL Domino V11 - this time on the updated (finally!) configuration of TLS ciphers for your internet protocols! I know - you couldn't wait for this exciting new feature as you really enjoy maintaining notes.ini parameters! This means the the ol’ SSLCipherSpec isn't needed any longer as we can use the Internet Site doc to configure the ciphers now. But there is some work that needs to be done as you upgrade your existing servers to the new release.

Console message

When you start up the HTTP server the first time after upgrading, you'll likely see the above messages for each and every Internet site doc you have setup to be served from that Domino server. To see what's going on, open up one of those Internet site docs and go to the Security tab and scroll down. Here's what one looked like on my lab server after upgrading from V10.

TLS Cipher Config

The config will show both current and deprecated ciphers that are in use or permitted. You'll see four ciphers with the comments “(deprecated)” next to them. Those are the ciphers that are causing the messages in the console. To remove them, edit the Internet site doc and deselect them from the deprecated section in the dialog box seen below.

TLS Cipher Dialog

You'll want to repeat this for all Internet site docs on upgraded servers, and for all protocols. Don't forget the LDAP, IIOP and SMTP, etc. It's not just for Web sites.

After saving the docs, a “tell http refresh” will update the ciphers in use.

You will still need to use the notes.ini to disable SSLv3 and TLS 1.x using the following:

DISABLE_SSL_V3=1
SSL_DISABLE_TLS_10=1

After updating the server config doc (right?) and seeing that the settings have been applied to the notes.ini, sending the command tell http refresh will apply the settings.

domino  V11 

See also