December 12 2014 Friday

How to disable SSLv3 in Domino

In my POODLE TLS post from a few days back, there was a comment asking how to fully disabling SSLv3 in Domino. You'll notice in the comments I mention that there is a way but at the time it was under NDA. Well, apparently not anymore....

Now, fair warning this may not yet be supported by IBM so if you choose to do this, you do it at your own risk (while under NDA on this, it was stated that is unsupported so YMMV).

According to this post on the Domino wiki, you can use this server notes.ini setting to fully disable SSLv3 but still keep TLS working.:

DEBUG_UNSUPPORTED_DISABLE_SSLV3=17


If you need this, test it before you put it into production. I have not yet done this, but everyone I know that has has had no issues so far. Again YMMV.


Darren Duke   |   December 12 2014 07:39:06 AM   |    domino  tls  ssl  poodle  security    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (4)

Gravatar Image
1 - Craig Wiseman    http://www.Wiseman.la/cpw    12/12/2014 2:45:02 PM

This INI setting aparently disables SMTP TLS. With that settings, I get "Your server's response did not include "250-STARTTLS" indicating TLS support." from SMTP SSL/TLS settings test sites.

Gravatar Image
2 - Craig Wiseman    http://www.Wiseman.la/cpw    12/12/2014 3:07:26 PM

While I'm whining about things, "{ http://simplified-tech.com/" works but " } works but "{ http://www.simplified-tech.com/" does not. } does not.

Gravatar Image
3 - Darren Duke    http://blog.darrenduke.net    12/12/2014 3:50:10 PM

@Craig, I did say test right? ;)

As for the site, thanks for the heads up. We lost a server last week and the DNS for www was missed as it seems GoDaddy has now decided paged, non-alphabetical "A" records listing is a good idea. Should be fixed in a few hours.

Gravatar Image
4 - Craig Wiseman    http://www.Wiseman.la/cpw    12/12/2014 3:54:03 PM

I did say test... ;-) I merely report the results of my testing.