This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Umberto Zenvelupulettu
Jul 16, 2015, 6:11 PM
11 Posts

9.0.1 Fix Pack 4(cient) don't add support for tls1.2?

  • Category: Mail
  • Platform: Windows
  • Release: 9.0.1
  • Role: End User
  • Tags:
  • Replies: 6

9.0.1 release with fp4 can't send mail. (server:smtp.live.com) ,

I only find "KLYH9QKT4B (LO82912) - Notes / Domino Support for TLS 1.2 (Transport Layer Security 1.2) with protocols: HTTP, SMTP, LDAP, POP3 & IMAP. " in Server section, why?

DO i need install Notes_901FP3IF3_W32_Basic after install FP4?

~Umberto Zenvelupulettu
Jul 16, 2015, 8:23 PM
11 Posts
9.0.1 Fix Pack 4(cient) don't add support for tls1.2?

I reinstalled notes 9.0.1 BC 、Fix Pack、Interim Fixes as the following order and configured follow the instructions http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Configuring_the_Lotus_Notes_Client_with_Gmail , But I still can not send mail. Please help me, thanks.

Notes_9.0.1_BC_Win_SC.exe
notes901FP1_basic_win.exe
901FP1SHF309_W32_basic.exe
notes901FP2_basic_win.exe
901FP2SHF236_W32_basic.exe
901FP2SHF255_W32_basic.exe
901FP2SHF63_W32_basic.exe
notes901FP3_basic_win.exe
901FP3SHF150_W32_basic.exe
901FP3SHF227_W32_basic.exe
901FP3SHF255_W32_basic.exe
notes901FP4_basic_win.exe

error: "复制器错误,SSL错误对等证书。连接被拒绝。,邮件发送(04:04)"

Translate: "Replication error. SSL bad peer certificate.  Connection refused. Mail sent. (04:04)"

log: [1224:0042-108C:wrepl] 2015/07/17 04:04:52   [1224:0042-108C:wrepl] SMTPClient: SSL handshake error: 1C7Bh

 

http://windows.microsoft.com/en-us/windows/outlook/send-receive-from-app

  • Incoming (POP3) Server

    • Server address: pop-mail.outlook.com

    • Port: 995

    • Encrypted Connection: SSL

  • Outgoing (SMTP) Server

    • Server address: smtp-mail.outlook.com

    • Port: 25 (or 587 if 25 is blocked)

    • Authentication: Yes

    • Encrypted Connection: TLS

~Umberto Zenvelupulettu
Jul 17, 2015, 3:58 PM
11 Posts
re:Please set DEBUG_SSL_HANDSHAKE=2 in your notes.ini and post the output.

[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 0 Available cipherspec: 0x009D
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 1 Available cipherspec: 0x009C
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 2 Available cipherspec: 0x003D
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 3 Available cipherspec: 0x0035
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 4 Available cipherspec: 0x003C
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 5 Available cipherspec: 0x002F
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 6 Available cipherspec: 0x000A
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSL_Handshake> Enter
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSL_Handshake> outgoing ->protocolVersion: 0303
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLAdvanceHandshake Enter> Processed : 0 State: 4 (HandshakeClientIdle)
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLAdvanceHandshake Enter> Processed : SSL_hello_request
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeClientHello
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLEncodeClientHello> We offered SSL/TLS version TLS1.2 (0x0303)
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLAdvanceHandshake Exit> State : 5 (HandshakeServerHello)
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSLReadRecord> Rejecting connection - record contentType not in range for SSLv3 or TLS
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSLReadRecord> First 4 bytes of SSL/TLS record: 0x32 0x32 0x30 0x20
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSL_Handshake> After handshake state= 5 Status= -6974
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSL_Handshake> Exit Status = -6974
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 int_MapSSLError> Mapping SSL error -6974 to 4171 [SSLProtocolVersionErr]
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10   [0784:001A-0FE4:wrepl] SMTPClient: SSL handshake error: 1C7Bh

Thanks, I'm only using Notes client,don't have a Domino Server.

~Tanita Desweverobu
Jul 20, 2015, 7:34 PM
94 Posts
That's very strange...
After Notes sends a TLS 1.2 ClientHello message, the SMTP server is responding with something very non-SSL/TLS:

[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLEncodeClientHello> We offered SSL/TLS version TLS1.2 (0x0303)
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLAdvanceHandshake Exit> State : 5 (HandshakeServerHello)
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSLReadRecord> Rejecting connection - record contentType not in range for SSLv3 or TLS
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSLReadRecord> First 4 bytes of SSL/TLS record: 0x32 0x32 0x30 0x20
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSL_Handshake> After handshake state= 5 Status= -6974
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSL_Handshake> Exit Status = -6974
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 int_MapSSLError> Mapping SSL error -6974 to 4171 [SSLProtocolVersionErr]

An SSLv3/TLS record would begin with 0x16 0x03 and then 0x00 (SSLv3), 0x01 (TLS 1.0), 0x02 (TLS 1.1), or 0x03 (TLS1.2).
An SSLv2 record will generally look like something along the lines of 0x80 0x7a 0x01 0x03 0x01

Those bytes (0x32 0x32 0x30 0x20) appear to be four ASCII characters -- "220 " -- which are commonly seen in plaintext SMTP traffic.

The Notes/Domino SSL/TLS stack won't be able to handle receiving ASCII text instead of a TLS ServerHello message.
~Umberto Zenvelupulettu
Jul 25, 2015, 1:34 AM
11 Posts
9.0.1 Fix Pack 4(cient) don't add support for tls1.2?

Dave Kern,thanks for your reply.

IBM does not support Microsoft? Microsoft does not support the IBM? Crazy...

~Sarah Kifooterynds
Oct 15, 2015, 2:05 PM
8 Posts
Work-around is to revert to 9.0.1 Fix Pack 3

I have also had this problem with Notes 9.0.1 Fix Pack 4 with sending outbound SMTP directly from the Notes client and getting "Replicator Error SSL bad peer certificate.  Connection refused".      Today I tried again to install Fix Pack 4 and the latest hot fix (901FP4SHF292_W32_standard.exe), and had the same problem.

 

The only work-around that I have found is to re-run the Hot Fix and/or Fix Pack 4 installers to revert back to Notes 9.0.1, and then install Notes 9.0.1 Fix Pack 3.  

 

(Unfortunately,  Fix Pack 3 has other problems - like problems importing OSGi plugins into an update site.)


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal