在一个服务器2016年的盒子,我们只是更新到PCI 3.1,实际上从密码删除TLS 1.0。 PowerShell脚本在备份之后向我们的Domino 9.0.1 FP7服务器发送电子邮件失败
The client and server cannot communicate, because they do not possess a common algorithm Domino日志显示
[0B40:000A-09DC] 12/18/2016 07:20:21.57 AM SSLInitContext> User is forcing 0xC3C0A cipher spec bitmask for 9 ciphers [0B40:000A-09DC] Checking keyfile certificates: [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSLCheckCertChain> Invalid certificate chain received [0B40:000A-09DC] Cert Chain Evaluation Status: err: 3674, A certificate chain could not be constructed [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_TRUSTPOLICY> bits for signature hashes: 0010 [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSLDisableExportCiphers> Disabling weak cipher RSA_WITH_DES_CBC_SHA. Set notes.ini "USE_WEAK_SSL_CIPHERS=1" to re-enable. [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSLDisableExportCiphers> Server key (4096 bits) too strong for EXPORT1024 ciphers. Disabling cipher RSA_EXPORT1024_WITH_DES_CBC_SHA [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr] [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake Enter>> Current Cipher Unknown Cipher (0x0000) [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake> outgoing ->protocolVersion: 0303 [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> Enter len = 1 [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> Switching Endpoint to sync [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> Posting a nti_rcv for 1 bytes [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_RcvSetup> SSL not init exit [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> Switching Endpoint to async [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> nti_done return 0 bytes rc = 9 [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> nti_done return 0 bytes rc = 9 Event = 0x400 [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal) [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake> Changing SSL status from -6989 to -5000 to flush write queue [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake> After handshake state = SSLErrorClose (2); Status = -5000 [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake> Exit Status = -5000 [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone] [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake Enter>> Current Cipher Unknown Cipher (0x0000) [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Write> Enter len = 7 [0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Xmt> 00000000: 15 03 03 00 02 02 00
我不确定问题是与脚本有关还是与Domino有关。
将UseSSL设置为false将允许连接,但是如果其他电子邮件(客户)由于相同的原因而被拒绝,并且直到现在我们还没有意识到它需要解决。
Domino服务器正在2008 R2机箱上运行
任何指针将不胜感激
谢谢
2008服务器要求您启用TLS 1.2 – 有一个registry键可以添加/编辑 – 这已经在2012年
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
创build新文件夹TLS 1.2在它下面添加两个新的密钥。
Client
Server
新的DWORD(32位) DisabledByDefault
DisabledByDefault设置为0
创build另一个DWORD Enabled 。
启用设置为1
为服务器键重复(通过在服务器键下创build两个DWORD, DisabledByDefault和Enabled及其值)。
重新启动服务器。
您的服务器现在应该支持TLS 1.2。
https://support.quovadisglobal.com/kb/a433/how-to-enable-tls-1_2-on-windows-server-2008-r2.aspx