Parameter:
SSL_EC_CURVESShort description: Defines the elliptic curves (EC key-exchange groups) accepted by the OpenSSL-based TLS stack and their order.
Profile
Parameter | SSL_EC_CURVES |
Category | Security / TLS |
Component | Server |
Available since | 14.0 |
Supported versions | 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | Colon-separated curves, e.g. X25519:secp384r1:secp256r1 |
Description
Domino 14 uses an OpenSSL-based TLS stack. For ECDHE key exchange, elliptic curves are negotiated; with
SSL_EC_CURVES the admin restricts the allowed curves and defines their preference order. The default value covers the common modern curves (X25519, secp384r1, secp256r1). Explicit configuration is useful when compliance rules (e.g. BSI TR-02102, NIST SP 800-186) require or exclude specific curves.Example configuration
SSL_EC_CURVES=X25519:secp384r1:secp256r1
Notes & pitfalls
- Incorrect spelling (typos) disables ECDHE entirely → severe performance / security drop.
- Takes effect after restarting the TLS tasks.
- Check compatibility with old clients when removing curves.
- Validate with
nmap --script ssl-enum-ciphers -p 443 hostortestssl.sh.
- Complementary to
TLSCipherList,SSL_DISABLE_TLS_*.