Parameter:
SSL_DISABLE_TLS_10Short description: Disables TLS protocol version 1.0 for all SSL-capable Domino tasks (HTTP, SMTP, IMAP, POP3, LDAP). Mandatory parameter for the compliance-driven disablement of TLS 1.0.
Profile
Parameter | SSL_DISABLE_TLS_10 |
Component | Server (all SSL-capable tasks) |
Category | Security / TLS |
Available since | Domino 9.0.1 FP3 IF2 (per KB0078972) |
Default 9.0.1–11.0.x | 0 (TLS 1.0 allowed) |
Default from 12.0.x | TLS 1.0 is disabled by default (re-enable with SSL_ENABLE_TLS_10=1) |
Values | 0 off, 1 on (= TLS 1.0 disabled) |
Description
TLS 1.0 dates from 1999 and has been considered insecure for years (BEAST, weak cipher selection, missing modern AEAD modes). Current compliance requirements (PCI DSS ≥ 3.2, BSI TR-02102, NIST SP 800-52 Rev. 2) prohibit TLS 1.0 in production environments.
SSL_DISABLE_TLS_10=1 disables TLS 1.0 for inbound SSL/TLS connections of all Domino Internet protocols. Effect only after server restart. In combination with DISABLE_SSLV3=1, all outdated protocol versions (SSL v2/v3, TLS 1.0) are rejected — leaving TLS 1.1 and TLS 1.2 (as well as TLS 1.3 from Domino 12 onward).Per KB0078972, the parameter should be set with care, since older clients or applications that do not support TLS 1.2 will no longer be able to connect afterwards. Therefore, an inventory of connected clients is advisable before activation.
Version note
Domino version | Behavior |
< 9.0.1 FP3 IF2 | Parameter not available |
9.0.1 FP3 IF2 – 11.0.x | TLS 1.0 on by default; SSL_DISABLE_TLS_10=1 to disable |
12.0.x and higher | TLS 1.0 off by default; reactivate with SSL_ENABLE_TLS_10=1 if needed |
Examples
Disable TLS 1.0 (typical for 9.0.1 FP3+ and 10.x/11.x):
SSL_DISABLE_TLS_10=1 DISABLE_SSLV3=1
In Domino 12.0.x or higher, exceptionally re-enable TLS 1.0 (not recommended):
SSL_ENABLE_TLS_10=1
Notes
- Server restart required – Does not take effect at runtime; the Domino server must be fully restarted.
- Inbound connections – The parameter mainly affects inbound SSL/TLS sessions. For outbound connections, Domino tasks negotiate the protocol version with the remote side; if needed, additionally restrict via
SSLCipherSpec.
- Verification – External tests (e.g. Qualys SSL Labs,
nmap --script ssl-enum-ciphers) are suitable for confirming the disablement.
- Companion parameters – Sensible to combine with
DISABLE_SSLV3=1,USE_WEAK_SSL_CIPHERS=0, and a modernSSLCipherSpecconfiguration.
- Compliance – In Domino 12.0.x and newer, TLS 1.0 is already disabled by default;
SSL_DISABLE_TLS_10=1is therefore redundant there but does no harm.
Sources (HCL Product Documentation)
- HCL Customer Support – KB0078972 "How to disable the TLS 1.0 protocol" (Applies to: Domino 9.0.1 FP3 IF2, 10.0.x, HCL Domino 11.0.x and higher): support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0078972
- HCL Domino 14.5.1 – NOTES.INI Settings (overview): help.hcl-software.com/domino/14.5.1/admin/conf_notesinisettings_c.html
- HCL Notes and Domino Wiki – "IBM Notes and Domino Interim Fixes to support TLS 1.2": ds-infolib.hcltechsw.com/ldd/dominowiki.nsf/dx/TLS_1.2