Modifying SSL cipher restrictions

SSL uses public, private, and negotiated session keys. Every SSL certificate has one pair of keys -- a public key and private key -- that are created when the SSL certificate is generated, and enable certificate owners to identify themselves over the network and to use S/MIME to encrypt and sign messages. Certificates contain only the public key. The private key is kept in the ID file for the Notes® client, and is kept in the key ring in the case of the SSL server.

About this task

The session key is negotiated during the handshake -- the main purposes of the handshake are to generate the session key and to identify the server to the client and, optionally, the client to the server. The size of the session key is determined by the cipher being used. For example, the cipher ECDHE_RSA_WITH_AES_256_GCM_SHA384 uses a 256 bit session key. The cipher RSA_WITH_AES_128_GCM_SHA256 uses a 128 bit session key.

There are two ways to configure SSL ciphers, depending on how you choose to configure Internet protocols on your Domino® server:

  • In an Internet Site document. If you use Internet Site documents, you can specify a different set of SSL cipher restrictions for each protocol.
  • Through the Server document.

For more information on changing SSL cipher restrictions in Internet Site documents, see Setting up security for Internet Site documents in the related links.

To modify SSL cipher restrictions in the Server document


  1. From the Domino® Administrator, click Configuration and open the Server document in the Domino® Directory.
  2. Click Ports > Internet Ports > Web.
  3. In the SSL Ciphers field, click Modify. This displays a list of available SSL cipher specifications.
  4. Select the cipher specification(s), then click OK.
  5. Save and close the document.