I've been doing some searching on specifying acceptable cipher selection
for Domino 9
At first it was recommended to change this in the Domino Server Document.
Ports, Internet Ports, SSL settings, SSL ciphers
Then it was noted that if you are using internet sites documents that
website documents will override the Domino Server Document: Web Site,
Security, SSL Security, SSL ciphers
Then it was noted that both of these are pretty obsolete and really only
offer low cipher selections. Apparently starting with some hot fix I now
need to store my selection in my notes.ini as per this document:
https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration
Is the above document the latest?
Is my interpretation of it correct?
I am trying to combat audit dings like the following:
TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)
TLS/SSL Server is enabling the BEAST attack (ssl-cve-2011-3389-beast)
TLS/SSL Server is enabling the POODLE attack (sslv3-cve-2014-3566-poodle)
TLS/SSL Server Supports SSLv3 (sslv3-supported)
TLS Server Supports TLS version 1.0 (tlsv1_0-enabled)
TLS/SSL Server Supports The Use of Static Key Ciphers
(ssl-static-key-ciphers)
TLS/SSL Server Supports 3DES Cipher Suite (ssl-3des-ciphers)
TLS/SSL Server Does Not Support Any Strong Cipher Algorithms
(ssl-only-weak-ciphers)
Apparently these ciphers are unacceptable:
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
It even complained about these:
TLS 1.2 ciphers:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
Vulnerability Solution:
Enable support for at least one of the ciphers listed below:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Rob Berendt
As an Amazon Associate we earn from qualifying purchases.