NRPC port encryption supports forward secrecy using X25519
Support for forward secrecy (https://en.wikipedia.org/wiki/Forward_secrecy) using X25519 (https://en.wikipedia.org/wiki/Curve25519) has been added to NRPC port encryption on the Domino 12 server.
NRPC client version | Algorithms used when connecting to Domino 12 |
---|---|
Clients prior to V 9.0.1 FP7 | RC4 |
|
128 bit AES-GCM for network encryption and integrity protection and 128 bit AES tickets |
V 12 | 256 bit AES-GCM for network encryption and integrity protection, X25519 for forward secrecy, and 128 bit AES tickets. |
Note that use of the PORT_ENC_ADV notes.ini setting to configure NRPC port encryption overrides the default behavior. If you currently use the PORT_ENC_ADV setting and want to enable X25519 for forward secrecy, add 32 to your current value for that setting. The client side of the network connection advertises which algorithms it supports, and the server selects the most secure combination that both client and server support based on the server-side notes.ini setting. For more information, see the topic PORT_ENC_ADV. (Note that PORT_ENC_ADV=0 is a valid setting that results in the disablement of all modern algorithms.)
We recommend enabling LOG_AUTHENTICATION=1 so you can see which algorithms are being used to authenticate and encrypt your NRPC traffic.