Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

SSL V2 HELO can be re-enabled with 9.0.1 FP3 IF1

Daniel Nashed – 25 February 2015 19:45:11
As discussed before the security fixes introduced with the additon of TLS 1.0 removed V2 SSL HELO support.

This caused issues with applications that still use the V2 SSL HELO for compatibility issues. Specially older OpenSSL Versions did use V2 SSL HELO unless explicitly specifying TLS 1.0.
For most applications you can work-around it with updating the OpenSSL version to a current level.

But specially when using the SMTP STARTTLS extension we don't control what the connecting server uses.

IBM now allows to re-enable V2 SSL HELO if you really need to.

The reference SPR is #LMES9QRUZY Problem with incoming SMTP TLS connections after update to Domino 9.0.1 FP2IF1

But it does not mention the notes.ini parameter you need to enable it: SSL_ENABLE_INSECURE_SSLV2_HELLO=1

I have tested it with an older version of wget and got the following type of debug output:


25.02.2015 18:57:18,07 SSLReadRecord> Reading an insecure SSLv2 record by administrator request
25.02.2015 18:57:18,07 SSL2ReadRecord> Reading an insecure SSLv2 record by administrator request
25.02.2015 18:57:18,07 SSLProcessProtocolMessage> Record Content: 0
25.02.2015 18:57:18,07 SSLProcessProtocolMessage> Received an insecure SSLv2 record; processing by administrator request
25.02.2015 18:57:18,07 SSL2ProcessMessage> Message: 1
25.02.2015 18:57:18,07 SSL2ProcessClientHello> Processing SSLv2 ClientHello message requesting TLS1.0 (version 0x0301)
25.02.2015 18:57:18,07 SSL2ProcessClientHello> Client requested SSL_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]