SMTPClient: SSL handshake error: 1C7Bh and Connection terminated with status: 2562

anon-2515 · January 15, 2024, 2:35am

My Domino server 10.0.1 FP8

when use starttls sending to the specific email domain ,

09:37:07.09 SSLEncodeClientHello> We offered SSL/TLS version TLS1.2 (0x0303)
09:37:07.09 SSLAdvanceHandshake Exit> State HandshakeServerHello (5)
09:37:07.09 S_Write> Enter len = 128
09:37:07.09 SSL_Xmt> 00000000: 16 03 03 00 7B 01 00 00 77 03 03 65 C8 95 43 EA '....{...w..eH.Cj'
09:37:07.09 SSL_Xmt> 00000010: 91 84 25 74 0B 47 09 63 E9 1E E6 E5 AE 06 51 1C '..%t.G.ci.fe..Q.'
09:37:07.09 SSL_Xmt> 00000020: 2F F2 F9 34 BB 80 08 4E C1 DD 8D 00 00 26 C0 30 '/ry4;..NA]...&@0'
09:37:07.09 SSL_Xmt> 00000030: 00 9F C0 2F 00 9E C0 28 00 6B C0 14 00 39 C0 27 '..@/..@(.k@..9@''
09:37:07.09 SSL_Xmt> 00000040: 00 67 C0 13 00 9D 00 9C 00 3D 00 35 00 3C 00 2F '.g@......=.5.<./'
09:37:07.09 SSL_Xmt> 00000050: 00 00 00 FF 01 00 00 28 00 0D 00 12 00 10 04 01 '.......(........'
09:37:07.09 SSL_Xmt> 00000060: 05 01 06 01 02 01 01 01 04 03 05 03 06 03 00 0B '................'
09:37:07.09 SSL_Xmt> 00000070: 00 02 01 00 00 0A 00 08 00 06 00 17 00 18 00 19 '................'
09:37:07.09 S_Write> Switching Endpoint to sync
09:37:07.09 S_Write> Posting a nti_snd for 128 bytes
09:37:07.09 SSL_EncryptData> SSL not init exit
09:37:07.09 S_Write> Switching Endpoint to async
09:37:07.09 SSL_EncryptDataCleanup> SSL not init exit
09:37:07.09 S_Write> nti_done return 128 bytes rc = 0
09:37:07.09 S_Write> Exit, wrote 128 bytes
09:37:07.09 S_Read> Enter len = 5
09:37:07.09 S_Read> Switching Endpoint to sync
09:37:07.09 S_Read> Posting a nti_rcv for 5 bytes
09:37:07.09 SSL_RcvSetup> SSL not init exit
09:37:07 [1F30:0019-06F8] SMTPClient: ReceiveResponse: 220 2.0.0 Ready to start TLS
09:37:07.37 S_Read> Switching Endpoint to async
09:37:07.42 S_Read> nti_done return 5 bytes rc = 0
09:37:07.42 SSL_RCV> 00000000: 15 03 03 00 02 '.....'
09:37:07.42 S_Read> Exit, read 5 bytes
09:37:07.42 S_Read> Enter len = 2
09:37:07.42 S_Read> Switching Endpoint to sync
09:37:07.42 S_Read> Posting a nti_rcv for 2 bytes
09:37:07.42 SSL_RcvSetup> SSL not init exit
09:37:07.42 S_Read> Switching Endpoint to async
09:37:07.42 S_Read> nti_done return 2 bytes rc = 0
09:37:07.42 SSL_RCV> 00000000: 02 28 '.('
09:37:07.42 S_Read> Exit, read 2 bytes
09:37:07.42 DecryptSSLRecord> Entering TLS pad verify block size 0
09:37:07.42 SSLProcessProtocolMessage> Record Content: Alert (21)
09:37:07.42 SSLProcessAlert> Got an alert of 0x28 (handshake_failure) level 0x2 (fatal)
09:37:07.42 SSL_Handshake> After handshake state = HandshakeServerHello (5); Status = -6991
09:37:07.42 SSL_Handshake> Exit Status = -6991
09:37:07.42 int_MapSSLError> Mapping SSL error -6991 to 4161 [SSLSessionNotFoundErr]
09:37:07.42 SSL_EncryptData> SSL not init exit
09:37:07.42 SSL_EncryptDataCleanup> SSL not init exit
09:37:07.42 SSL_RcvSetup> SSL not init exit
09:37:07 [1F30:0019-06F8] SMTPClient: SSL handshake error: 1C7Bh
09:37:07 [1F30:0019-06F8] SMTPClient: Attempting to Disconnect:
09:37:07 [1F30:0019-06F8] SMTPClient: CommandQUIT:
09:37:07 [1F30:0019-06F8] SMTPClient: Connection terminated with status: 2562

rainer_brandl · January 15, 2024, 9:28am

Hi,

try to set the following NOTES.INI entry on the server: Set config RouterFallbackNonTLS = 1

Please also follow the required steps here: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0079251

anon-2497 · January 15, 2024, 5:48pm

SSL handshake error: 1C7Bh usually means that the other side tries to connect with a SSL/TLS Version that is not supported by your Server.

You might do as suggested by Rainer Brandl, but this will bring you a finding at the next Network Security Scan. Allowing unencrypted Connections is a Security Risk, what you need to do depends on the Security Policy of your Company. Maybe you accept it that Servers with weak encryption cannot connect to your Server, these are only a few. No major Provider works with less than TLS 1.2.

As a compromise, you might check if there is a Parameter SSL_DISABLE_TLS_10=1 is in your notes.ini.

Removing this Parameter would allow to connect with less secure TLS1.0 but still prohibit unencrypted connections.

anon-2515 · January 16, 2024, 4:27am

Customers need to use StartTLS protocol to transmit emails, and only support 1.2 and 1.3

anon-2497 · January 16, 2024, 3:55pm

Next guess would be then, that the two Servers don't find a common Cipher.

I would suggest you increase the Loglevel with

DEBUG_SSL_ALL=3
SSL_TRACE_KEYFILEREAD=1

In the notes.ini an then search for "cipherspec" in the Log. Also check, which Ciphers are selected in the SSL Settings in the Server Document.

anon-2515 · January 17, 2024, 2:25am

These two parameters have been added,

on this customer...

Checking keyfile certificates:
09:37:07.09 SSLCheckCertChain> Valid certificate chain received
09:37:07.09 SSL_TRUSTPOLICY> bits for signature hashes: 0010
09:37:07.09 int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
09:37:07.09 SSL_Handshake Enter>> Current Cipher Unknown Cipher (0x0000)
09:37:07.09 SSL_Handshake> outgoing ->protocolVersion: 0303
09:37:07.09 SSLAdvanceHandshake Enter> Processed: SSL_hello_request (0) State: HandshakeClientIdle (4)
09:37:07.09 SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeClientHello
09:37:07.09 SSLEncodeClientHello> Sending supported signature algorithms (0x000d) extension
09:37:07.09 SSLEncodeClientHello> Sending supported point formats (0x000b) extension
09:37:07.09 SSLEncodeClientHello> Sending Supported Groups (0x000a) extension
09:37:07.09 SSLEncodeClientHello> We offered SSL/TLS version TLS1.2 (0x0303)
09:37:07.09 SSLAdvanceHandshake Exit> State HandshakeServerHello (5)
09:37:07.09 S_Write> Enter len = 128
09:37:07.09 SSL_Xmt> 00000000: 16 03 03 00 7B 01 00 00 77 03 03 65 C8 95 43 EA '....{...w..eH.Cj'
09:37:07.09 SSL_Xmt> 00000010: 91 84 25 74 0B 47 09 63 E9 1E E6 E5 AE 06 51 1C '..%t.G.ci.fe..Q.'
09:37:07.09 SSL_Xmt> 00000020: 2F F2 F9 34 BB 80 08 4E C1 DD 8D 00 00 26 C0 30 '/ry4;..NA]...&@0'
09:37:07.09 SSL_Xmt> 00000030: 00 9F C0 2F 00 9E C0 28 00 6B C0 14 00 39 C0 27 '..@/..@(.k@..9@''
09:37:07.09 SSL_Xmt> 00000040: 00 67 C0 13 00 9D 00 9C 00 3D 00 35 00 3C 00 2F '.g@......=.5.<./'
09:37:07.09 SSL_Xmt> 00000050: 00 00 00 FF 01 00 00 28 00 0D 00 12 00 10 04 01 '.......(........'
09:37:07.09 SSL_Xmt> 00000060: 05 01 06 01 02 01 01 01 04 03 05 03 06 03 00 0B '................'
09:37:07.09 SSL_Xmt> 00000070: 00 02 01 00 00 0A 00 08 00 06 00 17 00 18 00 19 '................'
09:37:07.09 S_Write> Switching Endpoint to sync
09:37:07.09 S_Write> Posting a nti_snd for 128 bytes
09:37:07.09 SSL_EncryptData> SSL not init exit
09:37:07.09 S_Write> Switching Endpoint to async
09:37:07.09 SSL_EncryptDataCleanup> SSL not init exit
09:37:07.09 S_Write> nti_done return 128 bytes rc = 0
09:37:07.09 S_Write> Exit, wrote 128 bytes
09:37:07.09 S_Read> Enter len = 5
09:37:07.09 S_Read> Switching Endpoint to sync
09:37:07.09 S_Read> Posting a nti_rcv for 5 bytes
09:37:07.09 SSL_RcvSetup> SSL not init exit
09:37:07 [1F30:0019-06F8] SMTPClient: ReceiveResponse: 220 2.0.0 Ready to start TLS
09:37:07.37 S_Read> Switching Endpoint to async
09:37:07.42 S_Read> nti_done return 5 bytes rc = 0
09:37:07.42 SSL_RCV> 00000000: 15 03 03 00 02 '.....'
09:37:07.42 S_Read> Exit, read 5 bytes
09:37:07.42 S_Read> Enter len = 2
09:37:07.42 S_Read> Switching Endpoint to sync
09:37:07.42 S_Read> Posting a nti_rcv for 2 bytes
09:37:07.42 SSL_RcvSetup> SSL not init exit
09:37:07.42 S_Read> Switching Endpoint to async
09:37:07.42 S_Read> nti_done return 2 bytes rc = 0
09:37:07.42 SSL_RCV> 00000000: 02 28 '.('
09:37:07.42 S_Read> Exit, read 2 bytes
09:37:07.42 DecryptSSLRecord> Entering TLS pad verify block size 0
09:37:07.42 SSLProcessProtocolMessage> Record Content: Alert (21)
09:37:07.42 SSLProcessAlert> Got an alert of 0x28 (handshake_failure) level 0x2 (fatal)
09:37:07.42 SSL_Handshake> After handshake state = HandshakeServerHello (5); Status = -6991
09:37:07.42 SSL_Handshake> Exit Status = -6991
09:37:07.42 int_MapSSLError> Mapping SSL error -6991 to 4161 [SSLSessionNotFoundErr]
09:37:07.42 SSL_EncryptData> SSL not init exit
09:37:07.42 SSL_EncryptDataCleanup> SSL not init exit
09:37:07.42 SSL_RcvSetup> SSL not init exit
09:37:07 [1F30:0019-06F8] SMTPClient: SSL handshake error: 1C7Bh
09:37:07 [1F30:0019-06F8] SMTPClient: Attempting to Disconnect:
09:37:07 [1F30:0019-06F8] SMTPClient: CommandQUIT:
09:37:07 [1F30:0019-06F8] SMTPClient: Connection terminated with status: 2562

===============================================

But sending to other side ( example google ), it is no problem

Checking keyfile certificates:
09:17:22.28 SSLCheckCertChain> Valid certificate chain received
09:17:22.28 SSL_TRUSTPOLICY> bits for signature hashes: 0010
09:17:22.28 int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
09:17:22.28 SSL_Handshake Enter>> Current Cipher Unknown Cipher (0x0000)
09:17:22.28 SSL_Handshake> outgoing ->protocolVersion: 0303
09:17:22.28 SSLAdvanceHandshake Enter> Processed: SSL_hello_request (0) State: HandshakeClientIdle (4)
09:17:22.28 SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeClientHello
09:17:22.28 SSLEncodeClientHello> Sending supported signature algorithms (0x000d) extension
09:17:22.28 SSLEncodeClientHello> Sending supported point formats (0x000b) extension
09:17:22.28 SSLEncodeClientHello> Sending Supported Groups (0x000a) extension
09:17:22.28 SSLEncodeClientHello> We offered SSL/TLS version TLS1.2 (0x0303)
09:17:22.28 SSLAdvanceHandshake Exit> State HandshakeServerHello (5)
09:17:22.28 S_Write> Enter len = 128
09:17:22.28 SSL_Xmt> 00000000: 16 03 03 00 7B 01 00 00 77 03 03 65 C8 90 A2 52 '....{...w..eH."R'
09:17:22.28 SSL_Xmt> 00000010: 51 46 4C 1C 2D 23 23 A2 75 55 54 1A C3 58 AA E1 'QFL.-##"uUT.CX*a'
09:17:22.28 SSL_Xmt> 00000020: 5E 00 CC E2 38 E6 72 8D D9 C3 0B 00 00 26 C0 30 '^.Lb8fr.YC...&@0'
09:17:22.28 SSL_Xmt> 00000030: 00 9F C0 2F 00 9E C0 28 00 6B C0 14 00 39 C0 27 '..@/..@(.k@..9@''
09:17:22.28 SSL_Xmt> 00000040: 00 67 C0 13 00 9D 00 9C 00 3D 00 35 00 3C 00 2F '.g@......=.5.<./'
09:17:22.28 SSL_Xmt> 00000050: 00 00 00 FF 01 00 00 28 00 0D 00 12 00 10 04 01 '.......(........'
09:17:22.28 SSL_Xmt> 00000060: 05 01 06 01 02 01 01 01 04 03 05 03 06 03 00 0B '................'
09:17:22.28 SSL_Xmt> 00000070: 00 02 01 00 00 0A 00 08 00 06 00 17 00 18 00 19 '................'
09:17:22.28 S_Write> Switching Endpoint to sync
09:17:22.28 S_Write> Posting a nti_snd for 128 bytes
09:17:22.28 SSL_EncryptData> SSL not init exit
09:17:22.28 S_Write> Switching Endpoint to async
09:17:22.28 SSL_EncryptDataCleanup> SSL not init exit
09:17:22.28 S_Write> nti_done return 128 bytes rc = 0
09:17:22.28 S_Write> Exit, wrote 128 bytes
09:17:22.28 S_Read> Enter len = 5
09:17:22.28 S_Read> Switching Endpoint to sync
09:17:22.28 S_Read> Posting a nti_rcv for 5 bytes
09:17:22.28 SSL_RcvSetup> SSL not init exit
09:17:22.29 S_Read> Switching Endpoint to async
09:17:22.29 S_Read> nti_done return 5 bytes rc = 0
09:17:22.29 SSL_RCV> 00000000: 16 03 03 00 57 '....W'
09:17:22.29 S_Read> Exit, read 5 bytes
09:17:22.29 S_Read> Enter len = 87
09:17:22.29 S_Read> Switching Endpoint to sync
09:17:22.29 S_Read> Posting a nti_rcv for 87 bytes
09:17:22.29 SSL_RcvSetup> SSL not init exit
09:17:22.29 S_Read> Switching Endpoint to async
09:17:22.29 S_Read> nti_done return 87 bytes rc = 0
09:17:22.29 SSL_RCV> 00000000: 02 00 00 53 03 03 65 9F 41 A2 2C EA 34 7D 2F 9F '...S..e.A",j4}/.'
09:17:22.29 SSL_RCV> 00000010: 94 4F C1 9D 7C 5E 66 96 3B CA 79 37 AB 3E 44 4F '.OA.|^f.;Jy7+>DO'
09:17:22.29 SSL_RCV> 00000020: 57 4E 47 52 44 01 20 78 23 CF F4 1A A0 87 A0 B5 'WNGRD. x#Ot. . 5'
09:17:22 [1F30:0019-06F8] SMTPClient: ReceiveResponse: 250-8BITMIME
09:17:22.29 SSL_RCV> 00000030: AE 9D 17 35 7D BB CA 39 E2 E1 79 82 D7 B0 53 4B '...5};J9bay.W0SK'
09:17:22.29 SSL_RCV> 00000040: C5 5D F2 AC 8B 53 17 C0 2F 00 00 0B FF 01 00 01 'E]r,.S.@/.......'
09:17:22.29 SSL_RCV> 00000050: 00 00 0B 00 02 01 00 '.......'
09:17:22.29 S_Read> Exit, read 87 bytes
09:17:22.29 DecryptSSLRecord> Entering TLS pad verify block size 0
09:17:22.29 SSLProcessProtocolMessage> Record Content: Handshake (22)
09:17:22.29 SSLProcessHandshakeMessage Enter> Message: ServerHello (2) State: HandshakeServerHello (5) Key Exchange: 0 Cipher: Unknown Cipher (0x0000)
09:17:22.29 SSLProcessServerHello> Server chose SSL/TLS version TLS1.2 (0x0303)
09:17:22.29 SSLProcessServerHello> Server chose cipher spec ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F)
09:17:22.29 SSLProcessServerHello> Extensions found in this message
09:17:22.29 SSLProcessServerHello> Received "empty" TLS Renegotiation Indication extension
09:17:22.29 SSLProcessServerHello> Received EC Point Formats extension length 0x0002
09:17:22.29 SSLProcessHandshakeMessage Exit> Message: ServerHello (2) State: HandshakeServerHello (5) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F)
09:17:22.29 SSLAdvanceHandshake Enter> Processed: ServerHello (2) State: HandshakeServerHello (5)
09:17:22.29 SSLAdvanceHandshake Exit> State HandshakeCertificate (8)
09:17:22.29 SSL_Handshake> After handshake state = HandshakeCertificate (8); Status = -5000
09:17:22.29 SSL_Handshake> Exit Status = -5000
09:17:22.29 int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
09:17:22.29 SSL_Handshake Enter>> Current Cipher ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F)
09:17:22.29 S_Read> Enter len = 5

anon-2497 · January 19, 2024, 4:58pm

As you can see, the receiving Server without Problem negotiates the ECDHE_RSA_WITH_AES_128_GCM_SHA256 Cipher.

Please check the Cipher Settings in your Server Document also contains

ECDHE_RSA_WITH_AES_256_GCM_SHA384

Maybe the Server that gives you trouble doesn't accept 128 Bit Ciphers.

jerome · January 18, 2024, 2:13pm

@Taiwan Jimmy Lu , have you check your ssl certificate? It must have extended "Server Authentication, Client Authentication", the "client authentication" is mandatory for starttls.

anon-2515 · January 19, 2024, 2:47am

Yes, we have obtain a certificate for the client from a trusted CA ..

jerome · January 19, 2024, 11:27am

@Taiwan Jimmy Lu , just under your last section (the green arrow) check "Extended Key usage", you should have "Server authentication" AND "Client Authentication" (the green rectangle I do not have on you screen shot)

anon-2515 · January 22, 2024, 3:35am

thank you for your response, the field have the value