Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

    Extended Master Secret Extension issue affects all Internet Protocols including STARTTLS

    Daniel Nashed  27 July 2016 10:23:28
    There is a an issue described in a technote which describes an issue with Win 2008 R2 and LDAP.
    This issue also occurs for other internet protocols!!

    It is specially important for servers using STARTTLS because you don't control which version and settings the receiving/sending host is using.

    So the issue I blogged about today does also affect other protocols. That's why I decided to have two blog posts to ensure it is better found on the web.

    Hiere is the info from the other blog post which also is relevant for your SMTP Servers.


    -- Daniel



    Domino  9.0.1 FP5 IF1 adds support for the Extended Master Secret Extension with TLS 1.2.

    Windows 2008 R2 does only supports TLS 1.0 but still sends the Extended Master Secret Extension in the server helo.

    Domino fails to connect because once this is offered Domino wants to use it.


    There is a work-around to disable this new functionality globally on the server via notes.ini


    SSL_DISABLE_EXTENDED_MASTER_SECRET=1


    This is just a work-around and the real fix would be that Microsoft provides  a fix for Win 2008 R2 to not send the extension with the helo.
    Later versions do support TLS 1.2 and do not have the issue.



    See the following technote for details ->
    http://www.ibm.com/support/docview.wss?uid=swg21987608


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]