Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > Unable to connect to patched Domino servers using SSLv2 backwards compatibility mode
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

TLS Cipher Configuration

This article describes how to configure SSLTLS cipher specifications in IBM Domino 9.0.1 FP5

HTTP Strict Transport Security (HSTS)

How to configure Domino for HTTP Strict Transport Security

Unable to connect to patched Domino servers using SSLv2 backwards compatibility mode

All support for SSLv2 was removed by the IBMDominoTLS1.0Interim Fixes that added support for TLS 1.0 and TLSFALLBACKSCSV to IBM Domino. This includes the SSLv2 handshake messages that were used to enable backwards compatibility with servers that only supported SSLv2. SSLTLS clients that ...

Installing and Running the Domino keyring tool

This command line tool can be used to view keyring files, create keyring files, and import certificates of all kinds into keyring files. It uses the Notes C API and can be run against any 8.5.x or 9.x IBM NotesDomino installation, but can only be used with SHA2 certiifcates in 9.x, and can only ...

Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool

Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool
Community articleUnable to connect to patched Domino servers using SSLv2 backwards compatibility mode
Added by ~Joseph Nimweburings | Edited by ~Joseph Nimweburings on September 15, 2015 | Version 9
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
No abstract provided.
Tags: SSL, TLS
All support for SSLv2 was removed by the Interim Fixes that added support for TLS 1.0 and TLS_FALLBACK_SCSV to IBM Domino. This includes the SSLv2 handshake messages that were used to enable backwards compatibility with servers that only supported SSLv2.

SSL/TLS clients that attempt to connect to a patched Domino server using SSLv2 backwards compatibility mode will be unable to connect. We recommend either configuring those clients to use TLS instead of SSLv2, or upgrading to newer clients that will use the TLS/SSLv3 record format by default.

See RFC 6176external link "Prohibiting Secure Sockets Layer (SSL) Version 2.0" for details.

This behavior can be confirmed by setting DEBUG_SSL_ALL=1 in the server's notes.ini and reconnecting.

SSLv2 backwards compatibility mode in Domino 9.0.1 FP4 and newer:

[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_TRUSTPOLICY> bits for signature hashes: 0034
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_Handshake> Enter
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_Handshake> outgoing ->protocolVersion: 0303
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM S_Read> Enter len = 5
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM S_Read> Switching Endpoint to sync
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM S_Read> Posting a nti_rcv for 5 bytes
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_RcvSetup> SSL not init exit
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM S_Read> Switching Endpoint to async
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM S_Read> nti_done return 5 bytes rc = 0
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_RCV> 00000000: 80 2E 01 00 02 '.....'
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM S_Read> Exit, read 5 bytes
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSLReadRecord> Rejecting connection - record contentType not in range for SSLv3 or TLS
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSLReadRecord> First 4 bytes of SSL/TLS record: 0x80 0x2E 0x01 0x00
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSLReadRecord> This is probably an SSLv2 ClientHello record which is not supported by default to improve "out of the box" security
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSLReadRecord> See the SSLv2 page on the Notes/Domino wiki for more information.
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_Handshake> After handshake state= 3 Status= -6974
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM SSL_Handshake> Exit Status = -6974
[024396:000011-4019078912] 09/15/2015 11:04:20.00 AM int_MapSSLError> Mapping SSL error -6974 to 4171 [SSLProtocolVersionErr]

SSLv2 backwards compatibility mode in older versions of Domino:

[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSLInitContext> User is forcing 3079 cipher spec bitmask
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSL_Handshake> Enter
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM S_Read> Enter len = 5
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM S_Read> Switching Endpoint to sync
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM S_Read> Posting a nti_rcv for 5 bytes
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSL_RcvSetup> SSL not init exit
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM S_Read> Switching Endpoint to async
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM S_Read> nti_done return 5 bytes rc = 0

[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSL_RCV> 00000000:
80 7A 01 03 01 '.z...'
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM S_Read> Exit, read 5 bytes
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSL_Handshake> After handshake state= 3 Status= -6996
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM SSL_Handshake> Exit Status = -6996
[07871:00012-4054583040] 11/11/2014 04:16:43.31 PM int_MapSSLError> Mapping SSL error -6996 to 4166 [SSLProtocolErr]


TLS / SSLv3 connection:

[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM SSLInitContext> User is forcing 3079 cipher spec bitmask
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM SSL_Handshake> Enter
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> Enter len = 5
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> Switching Endpoint to sync
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> Posting a nti_rcv for 5 bytes
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM SSL_RcvSetup> SSL not init exit
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> Switching Endpoint to async
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> nti_done return 5 bytes rc = 0

[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM SSL_RCV> 00000000:
16 03 01 00 53 '....S'
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> Exit, read 5 bytes
[07871:00012-4054583040] 11/11/2014 04:19:47.84 PM S_Read> Enter len = 83



Starting in Domino 9.0.1 FP3 IF1 and Domino 8.5.3 FP6, you can set SSL_ENABLE_INSECURE_SSLV2_HELLO=1 in your notes.ini to permit these less secure connections. We strongly advise against setting this variable unless you absolutely need to interoperate with an outdated SSL client that refuses to upgrade their software or configuration.

  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (9)Sep 15, 2015, 3:28:24 PM~Joseph Nimweburings  Adding additional information available in 9.0.1 FP4
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility