Modifying TLS cipher restrictions

TLS uses public, private, and negotiated session keys. Every set of TLS credentials has one pair of keys -- a public key and private key -- and an X.509 certificate that enable certificate owners to identify themselves over the network and to use S/MIME to encrypt and sign messages. Certificates contain only the public half of the key pair. The private key is kept in the ID file for the Notes® client, and is kept in the key ring file or cerstore.nsf database in the case of the TLS server. Starting with Domino 12, Domino supports both RSA and ECDSA keys. For more information, see ECDSA cryptography support for ACME accounts and for host keys.

About this task

The session key is negotiated during the handshake -- the main purposes of the handshake are to generate the session key and to identify the server to the client and, optionally, the client to the server. The size of the session key is determined by the cipher being used. For example, the cipher ECDHE_RSA_WITH_AES_256_GCM_SHA384 uses a 256-bit session key and an RSA server key pair. The cipher ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uses a 128-bit session key and an ECDSA server key pair. The ciphers that begin with ECDHE provide forward secrecy using elliptic curve technology as described in Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy.

You can restrict which TLS ciphers are used for Internet protocols. If no configuration parameters are set, the default set of TLS ciphers is used for that Domino server. The default TLS ciphers are updated from release to release based on current security best practices, so we recommend that most administrators use the default ciphers.

There are two ways to configure TLS ciphers, depending on how you choose to configure Internet protocols on your Domino® server:

  • In an Internet Site document. If you use Internet Site documents, you can specify a different set of TLS cipher restrictions for each protocol.
  • Through the Server document.

For more information on changing TLS cipher restrictions in Internet Site documents, see Setting up security for Internet Site documents in the related links.

To modify TLS cipher restrictions in the Server document


  1. From the Domino® Administrator, click Configuration and open the Server document in the Domino® Directory.
  2. Click Ports > Internet Ports > Web.
  3. In the TLS Ciphers field, click Modify. This displays a list of available TLS cipher specifications.
  4. Select the cipher specification(s), then click OK.
  5. Save and close the document.