Parameter:
TLS_ALLOW_RENEGOTIATIONShort description: Allows or denies TLS renegotiation on the Domino TLS stack (disabled by default).
Profile
Parameter | TLS_ALLOW_RENEGOTIATION |
Category | Security / TLS |
Component | Server |
Available since | 10.0 |
Supported versions | 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = deny renegotiation (default), 1 = allow secure renegotiation only |
Description
TLS renegotiation can be initiated by clients or servers to negotiate new keys during an existing connection (e.g. for deferred client-certificate authentication). Due to historical security problems (CVE-2009-3555), Domino has renegotiation completely off by default.
With
=1, only the secure renegotiation protected by RFC 5746 is enabled. Actually needed only when legacy clients / tools require it.Example configuration
TLS_ALLOW_RENEGOTIATION=0
Notes & pitfalls
- Factory recommendation: leave at
0.
- Enable only after a clear requirement and review of the client side.
- Audit / PCI tools do not necessarily flag
=1as a finding as long as RFC 5746 is met.
- Applies to all TLS listeners (HTTPS, LDAPS, IMAPS, SMTPS).
- The change takes effect after restarting the TLS-using tasks.