|Notes 9.0.1 FP7 / 126.96.36.199 AES Session Encryption Upgrade|
Tripp W Black on 01/06/2017 at 05:06 PM
Category: Domino Upgrades / Installations
Increase session encryption for Notes Clients to Domino server using new AES session tickets.
There are two notes.ini settings that enable increased encryption support via Notes clients.
PORT_ENC_ADV (default is not used/enabled - nothing new)
TICKET_ALG_SHA (default is HMAC-SHA 256)
For PORT_ENC_ADV, enter the sum of the options to enable.
1 = Enable HMAC-SHA256 integrity protection against tampering only, for legacy RC4 clients.
2 = Enable AES-128 CBC instead of #1 above, and also enable HMAC-SHA256 integrity protection against tampering.
4 = Enable AES-128 GCM for integrity protection and add'l confidentiality.
8 = Enable AES-256 GCM for integrity protection and add'l confidentiality.
16 = Enable FFDHE-2048 encryption w/port Forward Security (Diffie-Hellman 2048 bit).
64 = Enable AES tickets from RC2-128 bit to AES-128 bit.
Most backward compatibility and minimal performance cost:
64 + 1 = 65 - Gives basically just the ability for AES tickets and tampering protection.
Best security along with backward compatibility:
1 + 2 + 4 + 8 + 16 + 64 = 127
With FP7 clients and servers, they will use option 8, 16, and 64. For older clients, they will use option 1, 2, 4, and 64.
For TICKET_ALG_SHA, you can omit this parameter for the default HMAC-SHA 256. Otherwise, the options are:
1 = Enable HMAC-SHA 1
256 = Enable HMAC-SHA 256 (default)
384 = Enable HMAC-SHA 384
512 = Enable HMAC-SHA 512
For logging and testing, use the debugging parameters, DEBUG_PORT_ENC_ADV=1 and LOG_AUTHENTICATION=1.
See technote: SWG21990283 on the IBM site for more information on the new T, S, and FS flags.