SSL_Disable_Renegotiate – disables TLS/SSL renegotiation

🛠️

Parameter: SSL_Disable_Renegotiate

Short description: Disables TLS/SSL renegotiation on the Domino server (protection against CVE-2009-3555).

Profile

Parameter	`SSL_Disable_Renegotiate`
Category	Security / TLS
Component	Server
Available since	8.5
Supported versions	9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1
GUI equivalent	notes.ini only (no GUI)
Possible values	`0` = renegotiation allowed (default) • `1` = renegotiation disabled (recommended)

Description

During an active TLS/SSL connection the client can initiate a renegotiation of session parameters. This feature was demonstrated in CVE-2009-3555 as an attack vector for man-in-the-middle attacks. With SSL_Disable_Renegotiate=1, Domino rejects such renegotiation requests on the server side – the recommended setting for all TLS-terminated internet tasks (HTTP, IMAP, POP3, SMTP, LDAP). The setting takes effect after restarting the respective task (e.g. restart task http).

Example configuration


SSL_Disable_Renegotiate=1

Notes & pitfalls

Default 0 for compatibility reasons – explicitly set to 1 in production environments.

Only takes effect after restarting the TLS-using task.

Complements SSL_Renegotiate_Allowed; on conflict, SSL_Disable_Renegotiate wins.

Source: HCL KB0036502.