SSL cipher details
This topic provides more information about the use of ciphers.
- ECDHE_RSA_WITH_AES_256_GCM_SHA384
- ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- DHE_RSA_WITH_AES_256_GCM_SHA384
- ECDHE_RSA_WITH_AES_128_GCM_SHA256
- ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- DHE_RSA_WITH_AES_128_GCM_SHA256
Note the following:
- Ciphers that provide Forward Secrecy are prioritized over ciphers that do not per current OWASP recommendations.
- ECDHE ciphers are prioritized over the equivalent DHE ciphers to improve performance
- AES128-GCM ciphers are preferred over the equivalent AES256-CBC ciphers per current OWASP recommendations.
- We recommend against enabling any of the weaker ciphers. If you do nevertheless, you must also enable the USE_WEAK_SSL_CIPHERS=1 notes.ini parameter.
- We strongly recommend against using RC4 ciphers in order to protect against the "RC4 Bar Mitzvah" attack. Even if RC4-SHA (0005) is enabled, Domino will only negotiate that cipher if all of the higher-priority ciphers are not supported by the connecting client.
Forward secrecy
The DHE and ECDHE ciphers use Finite Field and Elliptic Curve Ephemeral Diffie-Hellman to provide Perfect Forward Secrecy (PFS), which protect against an attacker capable of passively recording all of the network traffic flowing into a server from later acquiring the server's private key and decrypting all of that recorded traffic. These ciphers significantly increase the security of your SSL/TLS traffic, at the cost of a potentially significant performance impact.
ECDHE Curves
X25519, NIST P-256, X448, NIST P-384, and NIST P-521 are supported. The fastest (smallest) mutually supported curve will be chosen by the Domino server as per standard practice. Individual curves can be disabled via SSL_DISABLE_CURVE_X25519, SSL_DISABLE_CURVE_P256=1, SSL_DISABLE_CURVE_X448, SSL_DISABLE_CURVE_P384=1, and SSL_DISABLE_CURVE_P521=1. X25519 and X448 are automatically disabled on AIX and OS400. We recommend disabling all ECDHE ciphers if all curves are disabled to improve performance.
DHE Groups
The minimum size for well-known DH groups was increased to 2048 bits as of Domino 9.0.1 FP4 IF2 to better protect against the Logjam attack, except for DHE_RSA_WITH_AES_128_CBC_SHA which will always use a 1024 bit group for compatibility with Java 6. That cipher is among the list of weak ciphers.
SSL_DH_PARAMS=c:\dhparams1024.pem
-----BEGIN DH PARAMETERS-----
MIGHAoGBAN3Cks7CkjenR9zeF+pPSGgWZfI7hoOD5wDNi+CNttIxcU1nruMFXxD7
zsMHoRpwbohcVsrIz1kk1Avn4v7b7/UMXFq3TD2XYeHkj0I5DPEWal5kR0LH+HrC
fbsGob/ttDcmKlWYcMDMW4Y+a5cQYEN7BWE2fsJBlITgehmh32XzAgEC
-----END DH PARAMETERS-----