Start/notes.ini Parameters/SSLCipherSpec

SSLCipherSpec

Parameter: SSLCipherSpec
Short description: Defines server-wide the allowed SSL/TLS cipher suites in HCL Domino via a concatenation of 4-digit hex cipher IDs. On Domino 10.0.1 and higher, the notes.ini value is automatically migrated during upgrade and subsequently ignored.

Profile

Parameter
SSLCipherSpec
Component
Server (all SSL-capable tasks)
Category
Security / TLS
Available since
Domino 9.0.1 (with TLS 1.2 update; from 10.0.1 only migration)
Value format
Hex string of 4-digit cipher IDs without separators, e.g. C030009F009D
Effect
Completely overrides the cipher list configured in the server/Internet site document
GUI equivalent
Server document → Ports → Internet Ports or Internet Site → Security → TLS Security

Description

With SSLCipherSpec, administrators define server-wide on a Domino server which cipher suites are permitted for inbound and outbound SSL/TLS connections. The list is provided as a hex string of 4-digit cipher IDs:
  • The order of the ciphers in the string is irrelevant — the choice is made at runtime from the intersection of server list ∩ client list.
  • Leading zeros must be present (e.g. 009D and not 9D).
  • Older 2-digit cipher IDs are still accepted (legacy from IBM days).
Per the HCL Notes/Domino Wiki, SSLCipherSpec completely overrides the cipher list configured in the server or Internet site document. To remove a single unwanted cipher, the entire desired cipher list must therefore be listed in SSLCipherSpec — any cipher missing from it will no longer be available.

Important version note: Domino 10.0.1+

Per HCL Product Documentation "New SSL cipher configuration" (Domino 10.0.1):
You may currently use the SSLCipherSpec server notes.ini setting to specify cipher settings on Domino 9.0.1 servers. In this case, after upgrading to Domino 10.0.1, the value in SSLCipherSpec is selected automatically in the Server documents or Internet Site documents of Domino 10.0.1 servers. After the upgrade, the notes.ini setting on servers is ignored.
Consequence:
  • Domino 9.0.1 / 9.0.1 FP3+SSLCipherSpec is the most important lever and is evaluated.
  • Domino 10.0.1, 11.0.x, 12.0.x, 14.x, 14.5.x – During upgrade from 9.0.1, the value is migrated once into the server document or Internet site document. After that, the notes.ini entry is ignored; changes are made exclusively in the directory document.
  • For new installations from Domino 10.0.1 onward, SSLCipherSpec should not be set in notes.ini at all.

Examples

Only the strong AES-256-GCM suites (example from the HCL Wiki, not intended as a recommendation):
SSLCipherSpec=C030009F009D
Classic Domino 9.0.1 FP3 example for limiting to common TLS 1.0/1.2 ciphers (from HCL forum):
SSLCipherSpec=3933352F0A

Notes

  • Effective only in 9.0.1 – From Domino 10.0.1 onward, the GUI configuration (server/Internet site document) is authoritative; the notes.ini is ignored.
  • Overrides GUI values – In 9.0.1, every SSLCipherSpec entry makes the selection in the "SSL Ciphers" field of the ports configuration ineffective.
  • Cipher strength – In Domino 10, RSA_WITH_3DES_EDE_CBC_SHA was classified as a weak cipher; on a 1:1 takeover from 9.0.1, it should be removed from the list.
  • Default from Domino 14.x – Current Domino versions already ship with a modern, TLS 1.2/1.3-capable cipher default list; manual intervention is only necessary for special compliance requirements.
  • Guide – The HCL Wiki page "TLS Cipher Configuration" and Daniel Nashed's blog posts on "Perfect Forward Secrecy ciphers shipped with 9.0.1 FP3 IF2" provide practical cipher strings.

Sources (HCL Product Documentation)