Domino SMTP with TLS -- Make sure you always have a RSA TLS Credential
Daniel Nashed – 26 November 2025 15:25:34
Today I had a very weird problem in our DNUG Lab Domino environment.
Mails did not route any more to certain destinations with a weird error message.
After turning on SSL Handshake Debug it turned out the certificate was sent and the session was terminated afterwards.
It turned out the other side used RSA ciphers and expected a RSA cert to verify.
But the server only had a ECDSA TLS credentials configured.
The solution was to just get a RSA key in paralle. Domino CertMgr can handle RSA and ECDSA keys in parallel since Domino 12.0.
26.11.2025 14:52:20,41 SSL_Handshake Enter>> Current Cipher ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
26.11.2025 14:52:20,41 SSLProcessProtocolMessage> Record Content: Handshake (22)
26.11.2025 14:52:20,41 SSLProcessHandshakeMessage Enter> Message: ServerHelloDone (14) State: HandshakeHelloDone (9) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
26.11.2025 14:52:20,41 SSLProcessHandshakeMessage Exit> Message: ServerHelloDone (14) State: HandshakeHelloDone (9) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
26.11.2025 14:52:20,41 SSLAdvanceHandshake Enter> Processed: ServerHelloDone (14) State: HandshakeHelloDone (9)
26.11.2025 14:52:20,41 SSLAdvanceHandshake> A certificate has been requested
26.11.2025 14:52:20,41 SSLAdvanceHandshake> An X509 certificate has been requested
26.11.2025 14:52:20,41 SSLAdvanceHandshake> We have 3 certificate(s)
26.11.2025 14:52:20,43 SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeCertificate
26.11.2025 14:52:20,43 SSLEncodeCertificate> Generating a certificate message with 3 certs
26.11.2025 14:52:20,43 SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeKeyExchange
26.11.2025 14:52:20,43 SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeCertificateVerify
26.11.2025 14:52:20,43 SSLEncodeCertificateVerifyTLS12> Signing CertificateVerify using RSAWithSHA256
26.11.2025 14:52:20,43 SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal)
26.11.2025 14:52:20,43 SSL_Handshake> After handshake2 state SSLErrorClose (2)
26.11.2025 14:52:20,43 SSL_Handshake> Exit Status = -5000
26.11.2025 14:52:20,43 int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
26.11.2025 14:52:20,43 SSL_Handshake Enter>> Current Cipher ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)
26.11.2025 14:52:20,44 SSL_Handshake> After handshake2 state SSLErrorClose (2)
26.11.2025 14:52:20,44 SSL_Handshake> SSL Error: -6997
26.11.2025 14:52:20,44 int_MapSSLError> Mapping SSL error -6997 to 4096 [SSLUnknownErr]
26.11.2025 14:52:20 Unexpected TCP/IP error func: 001Dh error Notes: 1C5B, NTI: 1000h, Stack: 00000000h
26.11.2025 14:52:20 SMTPClient: SSL handshake error: 1C5Bh
26.11.2025 14:52:20 Router: No messages transferred to acme.de (host secure-mail02.acme.de) via SMTP: Unexpected TCP error. See the Notes log file on this system for error code.
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}