1

I have problem understanding Dominos behavour to offer SSL or TLS for outgoing connections to WebService.

We have an agent that access a WebService. The WebService only accepts TLS 1.0

From time to time the connection crashes and I turned on DEBUG_SSL_ALL=3 to see what is happening

I figured out that the connection fails due to the server offers SSLV3.0 instead of TLS1.0, see example in the log at 05:45:58

How can the server suddenly do that ? I read in another post that this sometimes can happen due to "resumption" that should be some behaviour to remember and connect faster. That sounds like good thing to have but in this case it does not seams to be the reason. I have this agent to run on its own for a couple of hours and it suddenly changes protocoll anyway.

Our server needs to keep the ability to use SSL for other reasons So I cant do the DISABLE_SSLV3=1 for the moment and the receiving server cant use SSL.

Here is my log hope for some help The start of the connection is identical as I see it, is there anymore smart debug statements that can give me more ?

Domino 9.0.1 FP4

[10A4:000C-082C] 01/13/2016 05:26:59.36 PM SSLInitContext> 0 Available cipherspec: 0x0035
[10A4:000C-082C] 01/13/2016 05:26:59.36 PM SSLInitContext> 1 Available cipherspec: 0x002F
[10A4:000C-082C] 01/13/2016 05:26:59.36 PM SSLInitContext> 2 Available cipherspec: 0x000A
[10A4:000C-082C] 01/13/2016 05:26:59.36 PM SSLInitContext> 3 Available cipherspec: 0x0005
[10A4:000C-082C] 01/13/2016 05:26:59.36 PM int_MapSSLError> Mapping SSL error 0 to 0         [SSLNoErr]
[10A4:000C-082C] 01/13/2016 05:26:59.36 PM SSL_Handshake> Enter
[10A4:000C-082C] 01/13/2016 05:26:59.36 PM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[10A4:000C-082C] 01/13/2016 05:26:59.36 PM SSL_Handshake> outgoing ->protocolVersion: 0301
[10A4:000C-082C] 01/13/2016 05:26:59.36 PM SSLAdvanceHandshake Enter> Processed : 0 State: 4 (HandshakeClientIdle)
[10A4:000C-082C] 01/13/2016 05:26:59.38 PM SSLAdvanceHandshake Enter> Processed : SSL_hello_request
[10A4:000C-082C] 01/13/2016 05:26:59.38 PM SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeClientHello
[10A4:000C-082C] 01/13/2016 05:26:59.38 PM SSLEncodeClientHello> We offered SSL/TLS version TLS1.0 (0x0301)
...
[1204:0006-1390] 01/13/2016 05:28:59.91 PM SSLEncodeClientHello> We offered SSL/TLS version TLS1.0 (0x0301)
...
[10A4:000F-08BC] 01/13/2016 05:29:54.78 PM SSLEncodeClientHello> We offered SSL/TLS version TLS1.0 (0x0301)
...
[0F38:000B-0BCC] 01/13/2016 05:36:03.58 PM SSLEncodeClientHello> We offered SSL/TLS version TLS1.0 (0x0301)
...
[1204:0009-0A94] 01/13/2016 05:45:58.19 PM SSLInitContext> 0 Available cipherspec: 0x0035
[1204:0009-0A94] 01/13/2016 05:45:58.19 PM SSLInitContext> 1 Available cipherspec: 0x002F
[1204:0009-0A94] 01/13/2016 05:45:58.19 PM SSLInitContext> 2 Available cipherspec: 0x000A
[1204:0009-0A94] 01/13/2016 05:45:58.19 PM SSLInitContext> 3 Available cipherspec: 0x0005
[1204:0009-0A94] 01/13/2016 05:45:58.21 PM int_MapSSLError> Mapping SSL error 0 to 0         [SSLNoErr]
[1204:0009-0A94] 01/13/2016 05:45:58.21 PM SSL_Handshake> Enter
[1204:0009-0A94] 01/13/2016 05:45:58.21 PM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[1204:0009-0A94] 01/13/2016 05:45:58.21 PM SSL_Handshake> outgoing ->protocolVersion: 0301
[1204:0009-0A94] 01/13/2016 05:45:58.21 PM SSLAdvanceHandshake Enter> Processed : 0 State: 4 (HandshakeClientIdle)
[1204:0009-0A94] 01/13/2016 05:45:58.21 PM SSLAdvanceHandshake Enter> Processed : SSL_hello_request
[1204:0009-0A94] 01/13/2016 05:45:58.21 PM SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeClientHello
[1204:0009-0A94] 01/13/2016 05:45:58.21 PM SSLEncodeClientHello> We offered SSL/TLS version SSLV3.0 (0x0300)
...
[10A4:0012-08A0] 01/13/2016 05:50:59.42 PM SSLEncodeClientHello> We offered SSL/TLS version TLS1.0 (0x0301)
...
[10A4:0015-0DF4] 01/13/2016 05:52:23.57 PM SSLEncodeClientHello> We offered SSL/TLS version TLS1.0 (0x0301)
...
[10A4:0018-090C] 01/13/2016 05:53:33.55 PM SSLEncodeClientHello> We offered SSL/TLS version TLS1.0 (0x0301)

I am aware of the ciphers for 1.0.
The ciphers match with the WebService
As I write it is Domino that suddenly(random) likes to offer, the log part
- We offered SSL/TLS version SSLV3.0 (0x0300) (error)
instead of
- We offered SSL/TLS version TLS1.0 (0x0301) (success)

The ciphers in my log is for TLS 1.0 and because I have set the SSL_DISABLE_TLS_12=1

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Stefan K
  • 11
  • 1

1 Answers1

1

It seams that the ciphers you configured for your Domino- Server do not match the ciphers offered by the web service. You need to find out, which ciphers your service supports and then enable them on your domino server using the SSLCipherSpec- notes.ini- setting.

On this IBM site you find a list of all supported ciphers for your version. For 9.0.1FP4 it sais:

Available ciphers for TLS 1.0 / SSLv3

  1. DHE_RSA_WITH_AES_256_CBC_SHA (39)
  2. RSA_WITH_AES_256_CBC_SHA (35)
  3. RSA_WITH_AES_128_CBC_SHA (2F)
  4. DHE_RSA_WITH_AES_128_CBC_SHA (33)
  5. RSA_WITH_3DES_EDE_CBC_SHA (0A)
  6. RSA_WITH_RC4_128_SHA (05)

And the ciphers enabled by default are (as can be seen in your logs):

  1. RSA_WITH_AES_256_CBC_SHA (35)
  2. RSA_WITH_AES_128_CBC_SHA (2F)
  3. RSA_WITH_3DES_EDE_CBC_SHA (0A)

Just match them with the ciphers of your webservice and enable what is necessary...

Tode
  • 1,013
  • 9
  • 13