Delivering TLS 1.2
functionality as an Interim Fix (IF) once the functionality was ready instead of waiting for the next feature release of IBM Domino prevented us from changing any strings or editing any templates. In particular, the existing SSL configuration settings in Server documents and in Internet site documents were not altered and therefore they can no longer be used to specify what protocol versions and ciphers can be used for SSL/TLS. The protocol version configuration settings have not been used since the Interim Fixes that introduced TLS 1.0 removed SSLv2 support
entirely from the product. The cipher configuration settings are no longer being used starting with the Interim Fix that introduces TLS 1.2 support
because they offer up a host of weak ciphers but none of the stronger algorithms that use AES-GCM, SHA256, and/or DHE.
Default settings have been chosen such that all that an administrator needs to do to have a server configured to use TLS 1.2 and strong, modern ciphers is to install Domino 9.0.1 FP3 IF2
. Explicit configuration is necessary only for those with requirements to add forward secrecy at a significant performance cost, disable SSLv3 or TLS 1.0, or re-enable weak ciphers.
This article describes how administrators can configure SSL/TLS cipher specifications in Domino 9.0.1 FP3 IF2 without using the no-longer-functional settings in the public directory.
Default Cipher List
When using TLS 1.2:
When using TLS 1.0 or SSLv3:
- Starting with this 9.0.1 FP3 IF2, Domino will select the mutually supported cipher that it prefers most instead of the cipher preferred by the client. Administrators can revert to the old behavior by setting SSL_USE_CLIENT_CIPHER_ORDER=1 in the server's notes.ini file.
- RC4-SHA is still a default cipher with TLS 1.0 and SSLv3 for backwards compatibility with very old systems or certain configurations i.e. systems that were configured to only support RC4 in order to avoid the POODLE padding vulnerability in CBC mode ciphers. Since this is the last cipher on the list, it will be used only if the alternative is sending the data in the clear.
Administrators can use the SSLCipherSpec
notes.ini variable to configure the ciphers that they desire instead of using the default ciphers. This notes.ini variable will completely override the default cipher list, so to remove one of the default ciphers, add an SSLCipherSpec that includes all of the default ciphers except
the one to be removed. The order of cipher values in that notes.ini parameter does not matter. To enter multiple ciphers, enter each two hex digit cipher specification value, including leading zeros. Do not include spaces between values or parentheses. For example, to enable the PFS ciphers as well as the default ciphers for TLS 1.2, use:
Complete Ordered Cipher List
1. DHE_RSA_WITH_AES_256_GCM_SHA384 (9F)
2. DHE_RSA_WITH_AES_128_GCM_SHA256 (9E)
3. DHE_RSA_WITH_AES_256_CBC_SHA256 (6B)
4. DHE_RSA_WITH_AES_256_CBC_SHA (39)
5. DHE_RSA_WITH_AES_128_CBC_SHA256 (67)
6. DHE_RSA_WITH_AES_128_CBC_SHA (33)
7. RSA_WITH_AES_256_GCM_SHA384 (9D)
8. RSA_WITH_AES_128_GCM_SHA256 (9C)
9. RSA_WITH_AES_256_CBC_SHA256 (3D)
10. RSA_WITH_AES_256_CBC_SHA (35)
11. RSA_WITH_AES_128_CBC_SHA256 (3C)
12. RSA_WITH_AES_128_CBC_SHA (2F)
13. RSA_WITH_3DES_EDE_CBC_SHA (0A)
14. RSA_WITH_RC4_128_SHA (05)
TLS 1.0 / SSLv3
1. DHE_RSA_WITH_AES_256_CBC_SHA (39)
2. DHE_RSA_WITH_AES_128_CBC_SHA (33)
3. RSA_WITH_AES_256_CBC_SHA (35)
4. RSA_WITH_AES_128_CBC_SHA (2F)
5. RSA_WITH_3DES_EDE_CBC_SHA (0A)
6. RSA_WITH_RC4_128_SHA (05)
- All of the ciphers that provide Forward Secrecy (DHE_...) are prioritized over ciphers that do not per current OWASP recommendations.
- The AES128-GCM ciphers are preferred over the equivalent AES256-CBC ciphers per current OWASP recommendations.
- Weak ciphers are deliberately not shown on the lists above. The USE_WEAK_SSL_CIPHERS=1 notes.ini parameter must be used before any weak ciphers can be configured. We recommend against enabling any weak ciphers.
- RC4-MD5 and DES-CBC-SHA have been added to the list of weak ciphers.
The DHE ciphers use Ephemeral Diffie-Hellman to provide Perfect Forward Secrecy (PFS), which protect against an attacker capable of recording all of the network traffic flowing into a server from later acquiring the server's private key and decrypting all of that recorded traffic. These ciphers significantly increase the security of your SSL/TLS traffic, at the cost of a potentially significant performance impact. We recommend load testing in your environment before configuring those ciphers on production systems.
- By default, these ciphers will use a DH key with a size equivalent to the RSA keysize, so a server running with a 2048 bit SSL certificate would use a 2048 bit DH group.
- The SSL_DH_KEYSIZE notes.ini can be used to select a different size DH group; valid values for Domino 9.0.1 FP3 IF2 are 1024, 2048, and 3072.
- 4096 bit DH is not available in Domino 9.0.1 FP3 IF2 but is under consideration for inclusion in a future release. Running with a high DH key size can break compatibility with some old clients such as Java 1.6 that only support 1024 bit DH.
- The DEBUG_SSL_DHE notes.ini parameter can be used to print more detail to the server console to help track down incompatibilities, and many SSL/TLS errors are now being recorded in log.nsf.
- The 2048 and 3072 bit DH groups in this IF are taken from draft-ietf-tls-negotiated-ff-dhe-04. The 1024 bit DH group is taken from RFC 2412, "The OAKLEY Key Determination Protocol" section E.2.