9.0.1 Fix Pack 4(cient) don't add support for tls1.2?

hcl-bot · July 16, 2015, 1:11pm

9.0.1 release with fp4 can’t send mail. (server:smtp.live.com) ,

I only find "KLYH9QKT4B (LO82912) - Notes / Domino Support for TLS 1.2 (Transport Layer Security 1.2) with protocols: HTTP, SMTP, LDAP, POP3 & IMAP. " in Server section, why?

DO i need install Notes_901FP3IF3_W32_Basic after install FP4?

hcl-bot · July 24, 2015, 8:34pm

Subject: 9.0.1 Fix Pack 4(cient) don’t add support for tls1.2?

Dave Kern,thanks for your reply.

IBM does not support Microsoft? Microsoft does not support the IBM? Crazy…

hcl-bot · July 17, 2015, 9:02am

Subject: Please set DEBUG_SSL_HANDSHAKE=2 in your notes.ini and post the output.

You may also need to set DEBUG_OUTFILE to capture the output on disk.

DEBUG_OUTFILE:
http://www-01.ibm.com/support/docview.wss?uid=swg21087806 http://www-01.ibm.com/support/docview.wss?uid=swg21087806

hcl-bot · October 15, 2015, 9:05am

Subject: Work-around is to revert to 9.0.1 Fix Pack 3

I have also had this problem with Notes 9.0.1 Fix Pack 4 with sending outbound SMTP directly from the Notes client and getting “Replicator Error SSL bad peer certificate. Connection refused”. Today I tried again to install Fix Pack 4 and the latest hot fix (901FP4SHF292_W32_standard.exe), and had the same problem.

The only work-around that I have found is to re-run the Hot Fix and/or Fix Pack 4 installers to revert back to Notes 9.0.1, and then install Notes 9.0.1 Fix Pack 3.

(Unfortunately, Fix Pack 3 has other problems - like problems importing OSGi plugins into an update site.)

hcl-bot · July 17, 2015, 10:58am

Subject: re:Please set DEBUG_SSL_HANDSHAKE=2 in your notes.ini and post the output.

[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 0 Available cipherspec: 0x009D
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 1 Available cipherspec: 0x009C
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 2 Available cipherspec: 0x003D
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 3 Available cipherspec: 0x0035
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 4 Available cipherspec: 0x003C
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 5 Available cipherspec: 0x002F
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLInitContext> 6 Available cipherspec: 0x000A
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSL_Handshake> Enter
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSL_Handshake> outgoing ->protocolVersion: 0303
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLAdvanceHandshake Enter> Processed : 0 State: 4 (HandshakeClientIdle)
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLAdvanceHandshake Enter> Processed : SSL_hello_request
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeClientHello
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLEncodeClientHello> We offered SSL/TLS version TLS1.2 (0x0303)
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLAdvanceHandshake Exit> State : 5 (HandshakeServerHello)
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSLReadRecord> Rejecting connection - record contentType not in range for SSLv3 or TLS
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSLReadRecord> First 4 bytes of SSL/TLS record: 0x32 0x32 0x30 0x20
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSL_Handshake> After handshake state= 5 Status= -6974
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSL_Handshake> Exit Status = -6974
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 int_MapSSLError> Mapping SSL error -6974 to 4171 [SSLProtocolVersionErr]
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10 [0784:001A-0FE4:wrepl] SMTPClient: SSL handshake error: 1C7Bh

Thanks, I’m only using Notes client,don’t have a Domino Server.

hcl-bot · July 20, 2015, 2:34pm

Subject: That’s very strange…

After Notes sends a TLS 1.2 ClientHello message, the SMTP server is responding with something very non-SSL/TLS:

[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLEncodeClientHello> We offered SSL/TLS version TLS1.2 (0x0303)
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.26 SSLAdvanceHandshake Exit> State : 5 (HandshakeServerHello)
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSLReadRecord> Rejecting connection - record contentType not in range for SSLv3 or TLS
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSLReadRecord> First 4 bytes of SSL/TLS record: 0x32 0x32 0x30 0x20
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSL_Handshake> After handshake state= 5 Status= -6974
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 SSL_Handshake> Exit Status = -6974
[0784:001A-0FE4:wrepl] 2015/07/17 23:52:10.60 int_MapSSLError> Mapping SSL error -6974 to 4171 [SSLProtocolVersionErr]

An SSLv3/TLS record would begin with 0x16 0x03 and then 0x00 (SSLv3), 0x01 (TLS 1.0), 0x02 (TLS 1.1), or 0x03 (TLS1.2).
An SSLv2 record will generally look like something along the lines of 0x80 0x7a 0x01 0x03 0x01

Those bytes (0x32 0x32 0x30 0x20) appear to be four ASCII characters – "220 " – which are commonly seen in plaintext SMTP traffic.

The Notes/Domino SSL/TLS stack won’t be able to handle receiving ASCII text instead of a TLS ServerHello message.

hcl-bot · July 16, 2015, 3:23pm

Subject: 9.0.1 Fix Pack 4(cient) don’t add support for tls1.2?

I reinstalled notes 9.0.1 BC 、Fix Pack、Interim Fixes as the following order and configured follow the instructions http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Configuring_the_Lotus_Notes_Client_with_Gmail http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Configuring_the_Lotus_Notes_Client_with_Gmail, But I still can not send mail. Please help me, thanks.

Notes_9.0.1_BC_Win_SC.exe
notes901FP1_basic_win.exe
901FP1SHF309_W32_basic.exe
notes901FP2_basic_win.exe
901FP2SHF236_W32_basic.exe
901FP2SHF255_W32_basic.exe
901FP2SHF63_W32_basic.exe
notes901FP3_basic_win.exe
901FP3SHF150_W32_basic.exe
901FP3SHF227_W32_basic.exe
901FP3SHF255_W32_basic.exe
notes901FP4_basic_win.exe

error: “复制器错误，SSL错误对等证书。连接被拒绝。，邮件发送（04:04）”

Translate: “Replication error. SSL bad peer certificate. Connection refused. Mail sent. (04:04)”

log: [1224:0042-108C:wrepl] 2015/07/17 04:04:52 [1224:0042-108C:wrepl] SMTPClient: SSL handshake error: 1C7Bh

Add your Outlook.com account to another mail app or smart device - Microsoft Support http://windows.microsoft.com/en-us/windows/outlook/send-receive-from-app

Incoming (POP3) Server

Server address: pop-mail.outlook.com

Port: 995

Encrypted Connection: SSL

Outgoing (SMTP) Server

Server address: smtp-mail.outlook.com

Port: 25 (or 587 if 25 is blocked)

Authentication: Yes