TLS/SSL ciphers

Many clients will not support older or more vulnerable SSL ciphers. These are generally not enabled on the HCL Domino server, but if a particular cipher needs to be disabled to avoid the clients from trying to use the cipher and encountering problems, the following procedures show how to disable them. (See Modifying TLS cipher restrictions in the Domino documentation).

Procedure

  1. Use the Domino® Administrator client to open the server's public address book.
  2. In the navigator, select the Configuration tab, then select Server > Current Server Document.
    1. Click the Edit Server action.
    2. Select the Ports tab, then select Internet Ports.
    3. Set TCP/IP port status to: Enabled, Redirect to SSL should not be used.
    4. Under SSL authentication options, the Client Certificate field should be set to No.
    5. In the SSL settings section of the form, select the Modify button under the SSL ciphers item.
    6. In the SSL Cipher Settings dialog, deselect the ciphers to be disabled.
  3. Save your changes.
Alternate procedure
  1. Ciphers may also be disabled via the Internet Sites document. (See Setting up Domino® security for Internet site documents in the Domino documentation). If there is an Internet Site document for your server, open it.
    1. Click the Edit Web Site action.
    2. Select the Security tab.
    3. Under TCP Authentication options, the Redirect TCP to SSL field should be set to No.
    4. Under SSL authentication, the Client Certificate field should be set to No.
    5. Select SSL Security > SSL Ciphers > Modify
    6. In the SSL Cipher Settings dialog, deselect the ciphers to be disabled.
  2. Save your changes.
    Note: Depending upon the version of HCL Domino and/or the Domino Directory template (pubnames.ntf), references to SSL may be replaced by TLS. TLS is the successor to SSL.