In the middle of December I renewed the SSL certificate of one of my Domino servers (mobil.madicon.de) and subsequently started the obligatory SSL server test of Qualys SSL Labs.
Indication of impending downgrade due to TLS 1.0
The rating of "A+" was OK, but the reference (marked with the red arrow in the screenshot) to the downgrade to "Grade B" from January 2020 was reported. Cause: my Domino server still supported TLS 1.0!
This was also confirmed by a look at the "Protocols" section of the results:
Additionally you can see that several of the used ciphers are classified as "weak".
Disabling the TLS 1.0 protocol
There is a parameter for this in the NOTES.INI file of the Domino Server:
SSL_DISABLE_TLS_10=1
This parameter can be activated by the Domino Server configuration document (or in the NOTES.INI file directly):
A further analysis using the SSL server test confirms the deactivation of the TLS 1.0 protocol.
Customizing Cipher
Since Domino version 10 the actively used ciphers can be adjusted in the server document (tab: 'Ports...' -> 'Internet Ports...').
The use of the NOTES.INI parameter "SSLCipherSpec" (from Domino version 9.0.1 FP5, more information here) is no longer necessary.
The result after switching off all ciphers classified as "weak" by SSL server tests:
Hints
- If you have only these 4 ciphers (as shown in the screenshot above) activated, older applications or devices may not work anymore - this should be checked.
I only use Traveler (with HCL Verse on the iPhone) and Verse on Premises in current browsers - it all works fine.
- If you have only activated these 4 ciphers (as shown in the screenshot above), the NOTES.INI parameter "SSL_DISABLE_TLS_10=1" is no longer required to disable the TLS 1.0 protocol.
One more thing...
Maybe you noticed the green (= good web server settings) message in the first screenshot?
HTTP Strict Transport Security (HSTS) with long duration deployed on this server
This makes the Domino Server even more secure as a web server:
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks[1] and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP protocol used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.
Source: HTTP Strict Transport Security
This setting can be specified for the Domino Server by this parameter in the NOTES.INI file:
HTTP_HSTS_MAX_AGE=31536000
Kommentar schreiben
Anna Obrusnik (Freitag, 16 April 2021 14:08)
Hello,
I set the settings as you mentioned, but in our case the iPhone is not able to sync.
Manfred Dillmann (Freitag, 16 April 2021 15:02)
Hi Anna,
did that work before you changed anything?
You could activate more ciphers first and try if it is OK then. Then you remove step by step (starting from the bottom - that are the less secure ciphers) single ciphers and you will find out when it doesn't work anymore.
In general, many other factors play a role: which iOS version is in use? Are you using HCL Verse on the iPhone or the native Mail app from Apple?
I wish you success in solving the problem!