0

On a Server 2016 box we just updated it to PCI 3.1 that in effect removed TLS 1.0 from the cyphers. A PowerShell script that sent an email after a backup to our Domino 9.0.1 FP7 server now fails with 

The client and server cannot communicate, because they do not possess a common algorithm

The Domino log shows

[0B40:000A-09DC] 12/18/2016 07:20:21.57 AM SSLInitContext> User is forcing    0xC3C0A cipher spec bitmask for 9 ciphers
[0B40:000A-09DC] Checking keyfile certificates:
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSLCheckCertChain> Invalid certificate chain received
[0B40:000A-09DC] Cert Chain Evaluation Status: err: 3674, A certificate chain could not be constructed
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_TRUSTPOLICY>  bits for signature hashes: 0010
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSLDisableExportCiphers> Disabling weak cipher RSA_WITH_DES_CBC_SHA. Set notes.ini "USE_WEAK_SSL_CIPHERS=1" to re-enable.
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSLDisableExportCiphers> Server key (4096 bits) too strong for EXPORT1024 ciphers. Disabling cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake Enter>> Current Cipher Unknown Cipher (0x0000)
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake> outgoing ->protocolVersion: 0303
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> Enter len = 1
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> Switching Endpoint to sync
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> Posting a nti_rcv for 1 bytes
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_RcvSetup> SSL not init exit
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> Switching Endpoint to async
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> nti_done return 0 bytes rc = 9
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> nti_done return 0 bytes rc = 9 Event = 0x400
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal)
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake> Changing SSL status from -6989 to -5000 to flush write queue
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake> After handshake state = SSLErrorClose (2); Status = -5000
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake> Exit Status = -5000
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake Enter>> Current Cipher Unknown Cipher (0x0000)
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Write> Enter len = 7
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Xmt> 00000000: 15 03 03 00 02 02 00

I'm not sure if the issue relates to the script, or a shortcoming with Domino.

Setting UseSSL to false will allow the connection, but if other emails (customers) are being rejected for the same reason and we were blissfully unaware until now it needs to be resolved.

The Domino Server is running on a 2008 R2 box

Any pointers would be appreciated

Thanks

gchq
  • 363
  • 1
  • 4
  • 15

1 Answers1

1

2008 Server requires that you enable TLS 1.2 - there is a registry key you can add/edit - this is already there on 2012

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

  1. create new folder TLS 1.2 add two new keys underneath it.

    Client
    Server

  2. New DWORD (32-bit) DisabledByDefault

    DisabledByDefault set to 0

  3. Create another DWORD Enabled.

    Enabled set to 1

Repeat for the Server key (by creating two DWORDs, DisabledByDefault and Enabled, and their values underneath the Server key).

Reboot the server.

Your server should now support TLS 1.2.

https://support.quovadisglobal.com/kb/a433/how-to-enable-tls-1_2-on-windows-server-2008-r2.aspx

Drifter104
  • 3,773
  • 2
  • 25
  • 39
Ozoid
  • 36
  • 4
  • Running IISCrypto 2.0 shows the following protocols are enabled on that server - Multi-Protocol Unified Hello - PCT 1.0 - SSL 3.0 - TLS 1.0 - TLS 1.1 - TLS 1.2 – gchq Dec 18 '16 at 22:16
  • Have you checked your certificate has a full valid chain - there is an online tool to check this or use openssl - if the parts of the certificate are not in the right order - less concerned servers will ignore the invalid/incorrect chain. I had issues with Apple devices not accepting the certificate as the chain was not complete, however other devices were fine. – Ozoid Dec 19 '16 at 22:49
  • You may need to import the root and intermediate certificates to your server - 2016 is new enough to not have your cert provider certificates installed. – Ozoid Dec 19 '16 at 22:56
  • Hi Ozoid - on the 2016 box the chain is fine, added Comodo root certificates when we set it up. With Domino it was a real pain in the rump getting the certificates and chain imported - the import tool doesn't work as it should and we had to use a third party utility (OpenSSL) - going to our domino site and clicking on the padlock does show a complete chain though – gchq Dec 19 '16 at 23:36
  • Running a scan from High Tech Bridge on the mail port returned an A grade, but also 'Intermediate certificate is not provided by the server.' This is odd as using a browser pointing the Domino https server shows a complete certification path and if I run the same test against the https server it returns an A+ and the same intermediate certificate warning - then presents a diagram showing the correct intermediate... – gchq Dec 20 '16 at 16:35