Start/notes.ini Parameters/SSLCipherSpec

SSLCipherSpec

🛠️
Parameter: SSLCipherSpec
Short description: Defines the TLS/SSL cipher suites supported by Domino (overrides the default list).

Profile

Parameter
SSLCipherSpec
Category
Security / TLS
Component
Server
Available since
9.0.1
Supported versions
9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5
GUI equivalent
notes.ini only (no GUI)
Possible values
Hex string of 4-digit cipher IDs, e.g. C030C02FC028C027009F009E

Description

SSLCipherSpec replaces Domino's negotiated default list of TLS/SSL cipher suites with a fixed, custom-defined order. Each cipher suite is appended as a 4-digit hex ID – the order also determines the priority during negotiation with the client.
The parameter is typically used to disable older / insecure ciphers (RC4, 3DES, AES-CBC without ECDHE) or to allow only PFS-capable AEAD ciphers.

Example configuration

# Only modern ECDHE-AEAD ciphers (TLS 1.2)
SSLCipherSpec=C030C02FC028C027009F009E

Notes & pitfalls

  • An incorrect / empty value → Domino offers no ciphers and TLS connections break.
  • Cipher IDs must be exactly 4 hex characters per suite (e.g. C030, not 0xC030).
  • Does not apply to TLS 1.3 – control there via SSL_DISABLE_TLS_13 / cipher defaults.
  • Complements switches like SSL_DISABLE_TLS_10, SSL_DISABLE_TLS_11, DisableSSLv3.
  • Take the current recommendations from the HCL KB (review yearly!).
  • The change only takes effect after restarting the HTTP / SMTP / IMAP task.