TLS Ciphers in Domino 14.0
Daniel Nashed – 17 January 2024 13:03:41
The secure cipher list changed from Domino 12.0.2 to Domino 14.0.
Meanwhile more ciphers had to move to the weak list.
In case you have applications which still need those old ciphers, you would need to enable those weak ciphers via notes.ini and server/internet site settings.
They are ignored by default without the ini setting to enable weak ciphers.
Sametime 12.0.2 finally switched to OpenSSL, does now support modern ciphers and is off the list needing depreciated ciphers :-)
But you should check which applications might need to be upgraded as well to use modern ciphers.
Below is the current list with the codes and names also with a reference for OpenSSL strings, helpful for NGINX and other applications using OpenSSL as the back-end.
Domino 12.0+ supports RSA and ECDSA keys. For ECDSA the cipher list set to two ciphers and there is no configuration needed for a ECDSA key.
-- Daniel
RSA Ciphers
./nshciphers -map C030:C02F:009F:009E
------------------------------------------
C030, TLSv1.2, ECDHE-RSA-AES256-GCM-SHA384 , TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
C02F, TLSv1.2, ECDHE-RSA-AES128-GCM-SHA256 , TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
009F, TLSv1.2, DHE-RSA-AES256-GCM-SHA384 , TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
009E, TLSv1.2, DHE-RSA-AES128-GCM-SHA256 , TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
------------------------------------------
Total: 4
OpenSSL Cipher String
------------------------------------------
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
ECDSA Ciphers
./nshciphers -map C02C:C02B
------------------------------------------
C02C, TLSv1.2, ECDHE-ECDSA-AES256-GCM-SHA384 , TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
C02B, TLSv1.2, ECDHE-ECDSA-AES128-GCM-SHA256 , TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
------------------------------------------
Total: 2
OpenSSL Cipher String
------------------------------------------
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256
- Comments [0]