SSL cipher details

This topic provides more information about the use of ciphers.

Domino 14 has updated the default TLS ciphers to include only ciphers with PFS, AEAD, and SHA-2 according to current security best practices. That leaves six default ciphers, which are now also the only ciphers that can be used without setting USE_WEAK_SSL_CIPHERS=1:

Note the following:

  • Ciphers that provide Forward Secrecy are prioritized over ciphers that do not per current OWASP recommendations.
  • ECDHE ciphers are prioritized over the equivalent DHE ciphers to improve performance
  • AES128-GCM ciphers are preferred over the equivalent AES256-CBC ciphers per current OWASP recommendations.
  • We recommend against enabling any of the weaker ciphers. If you do nevertheless, you must also enable the USE_WEAK_SSL_CIPHERS=1 notes.ini parameter.
  • We strongly recommend against using RC4 ciphers in order to protect against the "RC4 Bar Mitzvah" attack. Even if RC4-SHA (0005) is enabled, Domino will only negotiate that cipher if all of the higher-priority ciphers are not supported by the connecting client.

Forward secrecy

The DHE and ECDHE ciphers use Finite Field and Elliptic Curve Ephemeral Diffie-Hellman to provide Perfect Forward Secrecy (PFS), which protect against an attacker capable of passively recording all of the network traffic flowing into a server from later acquiring the server's private key and decrypting all of that recorded traffic. These ciphers significantly increase the security of your SSL/TLS traffic, at the cost of a potentially significant performance impact.

ECDHE Curves

X25519, NIST P-256, X448, NIST P-384, and NIST P-521 are supported. The fastest (smallest) mutually supported curve will be chosen by the Domino server as per standard practice. Individual curves can be disabled via SSL_DISABLE_CURVE_X25519, SSL_DISABLE_CURVE_P256=1, SSL_DISABLE_CURVE_X448, SSL_DISABLE_CURVE_P384=1, and SSL_DISABLE_CURVE_P521=1. X25519 and X448 are automatically disabled on AIX and OS400. We recommend disabling all ECDHE ciphers if all curves are disabled to improve performance.

DHE Groups

The minimum size for well-known DH groups was increased to 2048 bits as of Domino 9.0.1 FP4 IF2 to better protect against the Logjam attack, except for DHE_RSA_WITH_AES_128_CBC_SHA which will always use a 1024 bit group for compatibility with Java 6. That cipher is among the list of weak ciphers.

Custom DH groups are supported via the SSL_DH_PARAMS notes.ini setting. Setting it to a PEM-encoded DH Parameters file will cause Domino to use that custom group instead of a standard group. 1024 bit custom groups are allowed, but we recommend regenerating 1024 bit custom groups on a regular basis.
Sample 1024 bit DH parameters: