Notes.ini Entry


Name:
    SSL_Enable_Insecure_SSLV2_Hello

Syntax
    SSL_Enable_Insecure_SSLV2_Hello=0 / 1

Applies to:
    Servers

Add-on:

    First Release:
      9.0.1 FP3 - IF1

    Obsolete since:

      Category:
        HTTP, Security, Server

      Default:
        None

      UI equivalent:
        None

      Description:
      Is it possible to re-enable SSLv2 support on Domino servers patched with the POODLE fixes? Re-enabling SSLv2 has become necessary because since applying the POODLE fixes, which removed support for SSLv2, SMTP connection attempts from either clients, servers, and JVMs with outdated SSL fail with the following error:

      SSL_Handshake> Exit Status = -6996
      int_MapSSLError> Mapping SSL error -6996 to 4166 [SSLProtocolErr]
      SMTPClient: SSL handshake error: 1046h

      Answer

      Starting with Domino 9.0.1 Fix Pack 3 Interim Fix 1, you can set the following notes.ini variable to permit these less secure connections. However, note that we strongly advise against setting this variable unless you absolutely need to interoperate with an outdated SSL client that refuses to upgrade their software or configuration.

      SSL_ENABLE_INSECURE_SSLV2_HELLO =1

      This .INI variable will (1) allow SSLv2 ClientHello messages, as long as they negotiate up to a supported version of SSL/TLS, and (2) provide an increased level of tracing to help admins identify where the outdated connections are coming from. For related information, refer to the following Wiki article: Unable to connect to patched Domino servers using SSLv2 backwards compatibility mode.