Ciphers

In Domino V12, the TLS 1.2 ciphers that use Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) for forward secrecy now support two new curves for forward secrecy: X25519 and X448.

These offer better performance and space efficiency than the equivalent NIST Prime curves and are simpler to implement in an error-free fashion. For more information, see the topic Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy.

In addition, a Domino V12 server configured to use an ECDSA keyring file ECDSA credentials via CertMgr or kyrtool supports the following two TLS 1.2 cipher suites, which are supported by most current browsers and devices:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B)

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC02C)

Note: If you are upgrading from V9.0.1, carefully evaluate your cipher settings. If you currently use the notes.ini setting SSLCipherSpec, after you upgrade to V12, these settings are moved to the server document or Internet Sites document (depending on configuration). SSLCipherSpec notes.ini setting is ignored.

Review the list of ciphers that were deprecated in V11 and their impact on server configuration, see the article Deprecated Ciphers in Domino 11 on the Support site.