All support for SSLv2 was removed by the
Interim Fixes that added support for TLS 1.0 and TLS_FALLBACK_SCSV to IBM Domino. This includes the SSLv2 handshake messages that were used to enable backwards compatibility with servers that only supported SSLv2.
SSL/TLS clients that attempt to connect to a patched Domino server using SSLv2 backwards compatibility mode will be unable to connect. We recommend either configuring those clients to use TLS instead of SSLv2, or upgrading to newer clients that will use the TLS/SSLv3 record format by default.
See
RFC 6176
"Prohibiting Secure Sockets Layer (SSL) Version 2.0" for details.
This behavior can be confirmed by setting DEBUG_SSL_ALL=1 in the server's notes.ini and reconnecting.
SSLv2 backwards compatibility mode in Domino 9.0.1 FP4 and newer:
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_TRUSTPOLICY> bits for signature hashes: 0034
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_Handshake> Enter
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_Handshake> outgoing ->protocolVersion: 0303
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM S_Read> Enter len = 5
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM S_Read> Switching Endpoint to sync
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM S_Read> Posting a nti_rcv for 5 bytes
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_RcvSetup> SSL not init exit
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM S_Read> Switching Endpoint to async
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM S_Read> nti_done return 5 bytes rc = 0
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_RCV> 00000000: 80 2E 01 00 02 '.....'
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM S_Read> Exit, read 5 bytes
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSLReadRecord> Rejecting connection - record contentType not in range for SSLv3 or TLS
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSLReadRecord> First 4 bytes of SSL/TLS record: 0x80 0x2E 0x01 0x00
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSLReadRecord> This is probably an SSLv2 ClientHello record which is not supported by default to improve "out of the box" security
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSLReadRecord> See the SSLv2 page on the Notes/Domino wiki for more information.
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_Handshake> After handshake state= 3 Status= -6974
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_Handshake> Exit Status = -6974
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM int_MapSSLError> Mapping SSL error -6974 to 4171 [SSLProtocolVersionErr]
SSLv2 backwards compatibility mode in older versions of Domino:
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSLInitContext> User is forcing 3079 cipher spec bitmask
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSL_Handshake> Enter
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM S_Read> Enter len = 5
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM S_Read> Switching Endpoint to sync
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM S_Read> Posting a nti_rcv for 5 bytes
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSL_RcvSetup> SSL not init exit
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM S_Read> Switching Endpoint to async
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM S_Read> nti_done return 5 bytes rc = 0
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSL_RCV> 00000000: 80 7A 01 03 01 '.z...'
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM S_Read> Exit, read 5 bytes
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSL_Handshake> After handshake state= 3 Status= -6996
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSL_Handshake> Exit Status = -6996
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM int_MapSSLError> Mapping SSL error -6996 to 4166 [SSLProtocolErr]
TLS / SSLv3 connection:
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM SSLInitContext> User is forcing 3079 cipher spec bitmask
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM SSL_Handshake> Enter
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> Enter len = 5
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> Switching Endpoint to sync
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> Posting a nti_rcv for 5 bytes
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM SSL_RcvSetup> SSL not init exit
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> Switching Endpoint to async
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> nti_done return 5 bytes rc = 0
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM SSL_RCV> 00000000: 16 03 01 00 53 '....S'
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> Exit, read 5 bytes
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> Enter len = 83
Starting in Domino 9.0.1 FP3 IF1 and Domino 8.5.3 FP6, you can set
SSL_ENABLE_INSECURE_SSLV2_HELLO=1 in your notes.ini to permit these less secure connections. We strongly advise against setting this variable unless you absolutely need to interoperate with an outdated SSL client that refuses to upgrade their software or configuration.