Parameter:
SSL_DISABLE_TLS_11Short description: Disables TLS 1.1 for all server protocols (HTTP, SMTP, IMAP, POP3, LDAP) – mandatory for modern, hardened servers.
Profile
Parameter | SSL_DISABLE_TLS_11 |
Category | Security / TLS |
Component | Server |
Available since | 9.0.1 FP8 |
Supported versions | 9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = TLS 1.1 allowed, 1 = TLS 1.1 disabled (recommended) |
Description
SSL_DISABLE_TLS_11=1 switches off TLS protocol version 1.1 across all SSL-capable Domino tasks (HTTP, SMTP, IMAP, POP3, LDAP). TLS 1.1 has been deprecated by all major browsers since 2020 and is no longer accepted by PCI-DSS, BSI, NIST, etc.In practice,
SSL_DISABLE_TLS_11=1 together with SSL_DISABLE_TLS_10=1 is part of the standard hardening for every Domino server. TLS 1.2 and 1.3 remain active.Example configuration
SSL_DISABLE_TLS_10=1 SSL_DISABLE_TLS_11=1
Notes & pitfalls
- Applies across protocols (HTTP, SMTP, IMAP, POP3, LDAP) – no separate switches per task needed.
- Very old clients (e.g. Notes < 9.0.1 FP8) may lose TLS capability.
- Recommended for all internet-exposed Domino servers.
- TLS 1.3 is fully supported only from Domino 12.0.2 onwards; before that, TLS 1.2 dominates.
- The change only takes effect after restarting the respective tasks.