Parameter:
DISABLE_SSLV3Short description: Disables the obsolete SSLv3 protocol for incoming Domino SSL/TLS connections; mandatory parameter to defend against POODLE.
Profile
Parameter | DISABLE_SSLV3 |
Component | Server (all SSL-capable tasks) |
Category | Security / TLS |
Available since | Domino 9.0.1 (with TLS 1.2 update; KB0078972) |
Default older versions | 0 (SSLv3 allowed) |
Default from 12.0.x | SSLv3 is no longer active anyway |
Values | 0 off, 1 on (= SSLv3 rejected) |
Description
SSLv3 (RFC 6101, 1996) was for years the fallback protocol for old browsers and SMTP implementations. Since the POODLE attack (Padding Oracle On Downgraded Legacy Encryption, CVE-2014-3566, 2014), SSLv3 is considered broken. Current compliance requirements (PCI DSS, BSI TR-02102, NIST SP 800-52 Rev. 2) explicitly prohibit SSLv3.
DISABLE_SSLV3=1 instructs the Domino SSL layer to reject incoming SSLv3 handshakes with „unsupported protocol“. Effective only after server restart. The parameter primarily affects incoming connections — i.e. all Domino Internet tasks (HTTP, SMTP, IMAP, POP3, LDAP) that act as a server.In practice,
DISABLE_SSLV3=1 should always be set together with SSL_DISABLE_TLS_10=1 to also exclude TLS 1.0 as an insecure predecessor protocol.Examples
Minimal combination to enforce TLS 1.1+ (classic for Domino 9.0.1 FP3+):
DISABLE_SSLV3=1 SSL_DISABLE_TLS_10=1
Notes
- Server restart required – Does not take effect at runtime; Domino must be completely restarted.
- Incoming, not outgoing – The parameter controls the acceptance of incoming SSLv3 connections. Outgoing Domino connections (e.g. router → third-party SMTP server) negotiate the protocol with the remote peer.
- Complementary protection – Modern clients and Domino itself recognize
TLS_FALLBACK_SCSVand prevent unintended downgrades to SSLv3.
- Verification – External tests (e.g. Qualys SSL Labs,
openssl s_client -ssl3 -connect host:443) show whether SSLv3 is really blocked.
- Related parameters –
SSL_DISABLE_TLS_10,USE_WEAK_SSL_CIPHERS,SSLCipherSpec(overrides the cipher list server-wide).
- Logging – A rejected SSLv3 connection appears in the Domino log as a TLS handshake error. With
DEBUG_SSL_HANDSHAKE=2, details can be captured.
Sources (HCL Product Documentation)
- HCL Customer Support – KB0078972 "How to disable the TLS 1.0 protocol" (Applies to: Domino 9.0.1 FP3 IF2, 10.0.x, HCL Domino 11.0.x and higher): support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0078972
- HCL Domino 14.5.1 – NOTES.INI Settings (overview): help.hcl-software.com/domino/14.5.1/admin/conf_notesinisettings_c.html
- HCL Notes and Domino Wiki – "IBM Notes and Domino Interim Fixes to support TLS 1.2": ds-infolib.hcltechsw.com/ldd/dominowiki.nsf/dx/TLS_1.2