STARTTLS Outbound Sessions might fail with TLS 1.0 used and TLS 1.2 Ciphers
Daniel Nashed 15 December 2015 20:18:43
We have been running into some issues and I got multiple customers reporting that outgoing STARTTLS did not work in some cases specially for some German provides like web.de and gmx.net.
The error you see when enabling debugging is
SSLEncodeClientHello> We offered SSL/TLS version TLS1.0 (0x0301)
FindCipherSpec> Cipher spec DHE_RSA_WITH_AES_256_CBC_SHA256 (107) is not supported with TLS1.0
It turned out that session resumtion in combination with the new introduced TLS 1.2 causes some interoperability issues.
The outgoing session does use TLS 1.0 instead of TLS 1.2 in some cases because of session resumption.
Session resumption is specially important for incoming HTTPS connections. But it is also used for outbount connections.
When TLS 1.0 is used instead of TLS 1.2 your server might chose a cipher that is not supported in combination with TLS 1.2 and the connection will fail with an error message like this
TLS/SSL connection 192.168.1.1(39040) -> 192.168.1.2(25) failed with server chose unsupported cipher spec 0x006B
The current work-around is to disable resumable sessions with the following notes.ini parameter
SSL_RESUMABLE_SESSIONS=1
You should be aware that this causes some performance impact for incoming connections like HTTPS.
IBM is working on a solution. Stay tuned for more details.
-- Daniel
- Comments [2]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}