SSL Breaks After Upgrading To Domino 10.0.1

Beginning with Domino 10.0.1, SSL cipher options are configurable in the Security tab of Internet Site documents or in the Ports tab of Server documents (depending on if you have or have not enabled Internet Site Documents). All of the supported SSL ciphers are now listed clearly, in order of strength, for easy selection.

In my experience, when “Load Internet configurations from Server\Internet Sites documents” is disabled, the post-upgrade enables NO ciphers by default.

In contrast, ALL (non-weak) ciphers are selected post-upgrade for Internet Site Docs.

If you ARE NOT using Internet Site Docs
To review the current settings, go to the Server doc > Ports > Internet Ports > SSL settings and click the “Modify” button in the “SSL ciphers” field.

If you ARE using Internet Site Docs
To review the current settings, go to the Domino Directory, expand Web, and choose “Internet Sites.” Then open the corresponding Internet Site document and go to the “Security” tab. In the SSL Security section, click the “Modify” button in the “SSL ciphers” field.

When the right ciphers aren’t selected, besides HTTPS pages not rendering in browsers, you will also see something like this on the console or in the log: TLS/SSL connection failed with no supported ciphers

Click this link for IBM’s KB Article about the New SSL cipher configuration for Domino 10.0.1

 

 

Advertisements