Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


Traveler server not connecting to Microsoft SQL Server using only TLS 1.2

Daniel Nashed  9 April 2019 09:32:46

There is a new issue that Detlev Pöttgen has already reported in detail about on his blog including the work-around

Current MS SQL Servers do only support TLS 1.2 and the JDBC Driver used on the Traveler Server does not open a TLS 1.2 session by default.

This impacts Traveler configuration with the travelerutil and also operating your server -- if the SQL server is updated to a version that supports TLS 1.2 only!

(Original IBM technote for reference --> ).

Detlev's post contains the details for the work-around and change the default to allow TLS 1.2.

The error message shown is: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption

-- Some more technical details --

I was very surprised when looking into it. The underlying issue is a IBM JVM issue in combination with the way the application uses the TLS connection.
I recall from previous tests (when we got TLS 1.0 and 1.2 for Domino 9.0.1 Fixpacks) that the IBM JVM was using TLS 1.2 already.
So it isn't a general issue but an issue with the wrong default settings in combination with the way the application is written.

In this case what is probably happening is that the current Microsoft SQL JDBC driver is using the "TLS" constant which by default only uses TLS 1.0 on the IBM JVM!!

The Oracle JVM by default uses TLS 1.0/1.1/1.2 when specifying "TLS" but the IBM JVM just uses TLS 1.0 in contrast.

So this isn't directly a Traveler issue nor can be fixed by Traveler (unless there is a way to tell the JDBC driver explicitly to use TLS 1.2 -- I did not find any setting yet).

The following table still seems to apply. I haven't tested in detail.
But it's not clear how they will address this issue, because it's more a JDBC driver IBM JDK issue.

IMHO the IBM JVM should be fixed to use TLS 1.2 per default because this might cause also issues in other applications implemented in the same way.

-- Daniel
Protocol label
Protocol enabled before the fix
Protocol enabled after the fix
  • Server: TLS V1.0, TLS V1.1 and TLS V1.2 protocols.
  • Client: TLS V1.0 protocol
SSLv3 SSL V3.0 None, the connection fails.
TLS TLS V1.0 (defined in RFC2246) TLS V1.0 (defined in RFC2246)
TLSv1 TLS V1.0 (defined in RFC2246) TLS V1.0 (defined in RFC2246)
TLSv1.1 TLS V1.1 (defined in RFC4346) TLS V1.1 (defined in RFC4346)
TLSv1.2 TLS V1.2 (defined in RFC5246) TLS V1.2 (defined in RFC5246)
SSL_TLS Enables all SSL V3.0 and TLS V1.0 protocols TLS V1.0
SSL_TLSv2 Enables all SSL V3.0 and TLS V1.0, V1.1, and V1.2 protocols Enables all TLS V1.0, V1.1, and V1.2 protocols



    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]