Lotus Domino Administrator 8.5 Help - Modifying SSL cipher restrictions

SECURITY

Modifying SSL cipher restrictions
SSL uses public, private, and negotiated session keys. Every SSL certificate has one pair of keys -- a public key and private key -- that are created when the SSL certificate is generated, and enable certificate owners to identify themselves over the network and to use S/MIME to encrypt and sign messages. Certificates contain only the public key. The private key is kept in the ID file for the IBM® Lotus® Notes® client, and is kept in the key ring in the case of the SSL server.

The session key is negotiated during the handshake -- the main purposes of the handshake are to generate the session key and to identify the server to the client and, optionally, the client to the server. The size of the session key is determined by the cipher being used. For example, the cipher RSA_WITH_RC4_128_MD5 uses a 128-bit session key. The cipher RSA_EXPORT_WITH_DES40_CBC_SHA uses a 40-bit session key.

What ciphers are available are also limited by the size of the server's public key. The RSA_EXPORT_ ciphers can only be used with 512-bit RSA keys and smaller. The RSA_EXPORT1024_ ciphers can only be used with 1024-bit RSA keys and smaller. Ciphers that do not contain the EXPORT designation do not have any RSA key size restrictions.

You can restrict the use of SSL ciphers for Internet protocols. You can specify the use of a 128-bit cipher only for the HTTP service, for example, to require users to access a server using a domestic browser version. If no configuration parameters are set, then there is no restriction on the SSL ciphers used for that protocol.

There are three ways to configure SSL ciphers, depending on how you choose to configure Internet protocols on your IBM® Lotus® Domino® server:

In an Internet Site document. If you use Internet Site documents, you can specify a different set of SSL cipher restrictions for each protocol.
Through the Server document. However, if you use the Server document you can restrict SSL ciphers for HTTP only. You must use the NOTES.INI variable SSLCipherSpec to restrict ciphers for protocols other than HTTP.
Through the NOTES.INI variable SSLCipherSpec. All SSL cipher settings configured in either Site documents or in the Server document will be superseded by the INI variable.

For more information on changing SSL cipher restrictions in Internet Site documents, see "Setting up security for Internet Site documents."

To modify SSL cipher restrictions in the Server document

1. From the Domino Administrator, click Configuration and open the Server document in the Domino Directory.

2. Click Ports - Internet Ports - Web.

3. In the SSL Ciphers field, click Modify. This displays a list of available SSL cipher specifications.

4. Select the cipher specification(s), then click OK.

5. Save and close the document.

To modify SSL cipher restrictions using the NOTES.INI file

Use the NOTES.INI setting SSLCipherSpec to specify SSL restrictions for all protocols. Ciphers are specified by a 2-digit code. You can add as many ciphers as you need.

For example, to enable 3DES and RC4128SHA ciphers, enter the following line in the NOTES.INI file:

SSLCipherSpec=050A

where 05 = 3DES and 0A = RC4128SHA.

Caution Using SSLCipherSpec overrides all SSL cipher restrictions in Internet Site documents and in the Server document.

Setting up a Person document for an Internet user using SSL client authentication

Creating a Directory Assistance document for a Domino Directory or Extended Directory Catalog

Creating a Directory Assistance document for a remote LDAP directory

Setting up security for Internet site documents

NOTES.INI Settings

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary