Mike Woolsey commented on Oct 5, 2015

Related off-center question

I've noticed a lot of technotes & postings about TLS 1.2 being supported in Domino 9.0.1, but I'm more interested in Web Service clients being run on the Domino server.

How about Web Service clients run on the server, particularly ? If I have a Java agent that requests "TLSv1.2" initializing a Web Service client on the server, will the Domino server deliver that protocol?

Dave Kern commented on Sep 25, 2015

Re: TLS Cipher Configuration

ssllabs.com deems a number of browsers to be "reference" browsers, and will not give full credit for PFS unless all of the reference browsers would use PFS ciphers by default. Unfortunately, their "reference" browser list includes a number of old versions of IE that do not support the DHE ciphers. Upgrading from 9.0.1 FP4 to 9.0.1 FP4 IF2 (and removing your SSLCipherSpec ini) will add ECDHE ciphers that are supported by those old "reference" versions of IE and boost your score.

Another way to improve the security of your server and (incidentally) boost your score at ssllabs.com is to disable plaintext http and configure HSTS with a duration of at least 6 months. Check out the wiki article for [[HSTS]] for more information.

Michelangelo Gambacorta commented on Sep 21, 2015

Re: TLS Cipher Configuration

I am using


on a Domino 9.0.1 FP4 .

I test it using https://www.ssllabs.com/ssltest/

and I get grade A- because it seems web server is not supporting Forward Secrecy ....

what am I missing ?