Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

TLS 1.2 Connection Issues with mail.protection.outlook.COM

Daniel Nashed  7 January 2016 10:57:08
Two of my customers had issues connecting to the Microsoft hosted environment over TLS 1.2 once we got the session resumption working (see previous blog posts).

My environment had the same configuration and could connect just fine.
It looks like the servers are behaving different with different certificates.
That's the only difference we saw in configuration.

After a couple of tests and working with IBM support we got a hotfix that we successfully tested yesterday.
I know of 3 customers who solved their connection issues that way.

The error you see in the logs is the following:

TLS/SSL connection 194.76.45.81(64892) -> 213.199.154.23(25) failed with client certificates NOT supported by server signature algorithms
SMTPClient: SSL handshake error: 1C7Ah
Router: No messages transferred to ACME.COM (host acme.mail.protection.outlook.COM) via SMTP: SSL IO error. Remote session no longer responding.


SPR # MKENA4SQ7R Domino TLS 1.2 Client Hello does not offer a Signature Algorithm extension causing some handshakes to fail

This is one of the SPRs planned for the next IF.
There are other open issues that should be also fixed as well like the outgoing session resumption issues.


Short description what happens.

TLS 1.2 defines an extension to the Client Hello (signature algorithms) and this is officially required for TLS1.2 in contrast to earlier TLS versions.
Some servers implement the RFC quite strict and that could cause connection issues over TLS 1.2

The fix ensures that the signature algorithms are send which includes all the currently supported algorithms:

06 01 - SHA512/RSA
05 01 - SHA384/RSA
04 01 - SHA256/RSA
03 01 - SHA224/RSA
02 01 - SHA1/RSA
01 01 - MD5/RSA"




Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]