Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

TLS 1.2 Connection Issues with mail.protection.outlook.COM

Daniel Nashed  7 January 2016 11:57:08
Two of my customers had issues connecting to the Microsoft hosted environment over TLS 1.2 once we got the session resumption working (see previous blog posts).

My environment had the same configuration and could connect just fine.
It looks like the servers are behaving different with different certificates.
That's the only difference we saw in configuration.

After a couple of tests and working with IBM support we got a hotfix that we successfully tested yesterday.
I know of 3 customers who solved their connection issues that way.

The error you see in the logs is the following:

TLS/SSL connection 194.76.45.81(64892) -> 213.199.154.23(25) failed with client certificates NOT supported by server signature algorithms
SMTPClient: SSL handshake error: 1C7Ah
Router: No messages transferred to ACME.COM (host acme.mail.protection.outlook.COM) via SMTP: SSL IO error. Remote session no longer responding.


SPR # MKENA4SQ7R Domino TLS 1.2 Client Hello does not offer a Signature Algorithm extension causing some handshakes to fail

This is one of the SPRs planned for the next IF.
There are other open issues that should be also fixed as well like the outgoing session resumption issues.


Short description what happens.

TLS 1.2 defines an extension to the Client Hello (signature algorithms) and this is officially required for TLS1.2 in contrast to earlier TLS versions.
Some servers implement the RFC quite strict and that could cause connection issues over TLS 1.2

The fix ensures that the signature algorithms are send which includes all the currently supported algorithms:

06 01 - SHA512/RSA
05 01 - SHA384/RSA
04 01 - SHA256/RSA
03 01 - SHA224/RSA
02 01 - SHA1/RSA
01 01 - MD5/RSA"




Comments

1Gert-Jan Alderlieste  15.01.2016 22:37:12  TLS 1.2 Connection Issues with mail.protection.outlook.COM

He Daniel,

Where can I find this fix ?

Suddenly I have the same error on the company server with mails to *.*.*.outlook.com.

Thanks,

Gert-Jan Aldelrieste

2Daniel Nashed  19.01.2016 9:35:31  TLS 1.2 Connection Issues with mail.protection.outlook.COM

@Gert-Jan, it's currently just available as a hotfix from IBM support.

We got a combo hotfix for both SPRs and there is no IF that contains those fixes yet.

3Tripp Black  11.03.2016 22:06:03  TLS 1.2 Connection Issues with mail.protection.outlook.COM

The hotfix is available within Domino 9.0.1 FP 5 IF1. We have confirmed it works.

Only remaining issue is that sometimes outlook.com is demanding we have TLS 1.0 enabled or it won't handshake. This is causing us additional issues since TLS 1.0 needs to be disabled for HTTP audits for our PCI and PII compliance.

4Siegfried Olberding  23.08.2017 12:04:58  TLS 1.2 Connection Issues with mail.protection.outlook.COM

He Daniel,

I have the FP8 installed and get the same issue with mail protect.

Have you an idea?

Thanks,

Siegfried


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]