Parameter:
TLSCipherListShort description: User-defined list of allowed TLS cipher suites – overrides the defaults from the Server document / Internet Site.
Profile
Parameter | TLSCipherList |
Category | Security / TLS |
Component | Server |
Available since | 12.0 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | Comma-separated hex values, e.g. C030,C02F,C028,C027 |
Description
TLSCipherList globally defines which cipher suites Domino is allowed to offer for TLS connections. The order determines the preference – entries with AEAD algorithms (AES-GCM, ChaCha20-Poly1305) should come first.Important for audits / pen tests that require an A+ rating on SSL Labs, as well as for meeting internal compliance requirements.
Example configuration
TLSCipherList=C030,C02F,C028,C027,009F,009E
Notes & pitfalls
- Values are the two-byte hex IDs from the IANA TLS Cipher Suite Registry.
- TLS 1.3 suites are managed separately and cannot be disabled via this list.
- Before setting, verify that at least one suite is compatible with the existing server certificates (RSA vs. ECDSA).
- Internet Site configurations may carry different lists per site – the Site document takes precedence there.
- The change takes effect after restarting the TLS-using tasks.