HCL Notes and Domino 9.0 Social Edition Forum - Connecting using a lower cipher than I should

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

Share ▼
Subscribe ▼

~Cheryl Umaobu

Apr 4, 2016, 12:42 PM

151 Posts

Connecting using a lower cipher than I should

Category: Security
Platform: IBM i
Release: 9.0.1
Role: Administrator
Tags:
Replies: 1

I have the following entries in my notes.ini:

# https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration
SSLCipherSpec=C030009FC02F009EC028006BC0140039C0270067C0130005

I scanned my notes.ini for SSL (in various cases) and that is the ONLY line in my notes.ini referencing SSL.

I connected using FF and it connected fine at a TLS 1.2 cipher.

Then I pointed the url in FF to about:config and changed security.tls.version.max from 3 down to 1.

Went to my website and now the cipher being used is:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 256 BIT KEYS, TLS 1.0

This is C014 from the notes.ini line

According to https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration

this is TLS 1.2. Apparently firefox FF thinks it is TLS 1.0

Who is right?

Or is FF saying I only want to use TLS 1.0 but, dang, I'll use this instead?

According to http://www.openssl.org/docs/manmaster/apps/ciphers.html

I think (and I may be interpreting that site wrong) it is an elliptical curve extension of TLS 1.0. However it was on a list of "recommended cipher configurations" from our last external security scan.

BTW our external security scans are performed by a wholly owned subsidiary of IBM. Kind of fun and IBM and IBM start fighting...

~Tanita Desweverobu

Apr 6, 2016, 8:08 PM

94 Posts

The cipher used and the protocol version used are different things

https://en.wikipedia.org/wiki/Transport_Layer_Security

The version of the protocol is going to be either SSLv3, TLS 1.0, or TLS 1.2.

The ciphers that can be used with any given version of the SSL/TLS protocol are shown in the wiki article that you indicated.

https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration

Domino supports the ECDHE_RSA_WITH_AES_256_CBC_SHA (C014)cipher when using TLS 1.2 and when using TLS 1.0. As shown on that page, it's currently Domino's 7th favorite cipher when using TLS 1.2, and it's favorite cipher when using TLS 1.0.

The FF configuration change you mentioned tells FF to not offer any versions of TLS above TLS 1.0 -- which would most likely result in the 0xC014 cipher being selected, as you indicated in your message.

Share ▼
Subscribe ▼