在 Server 2016 机器上,我们刚刚将其更新到 PCI 3.1,实际上从密码中删除了 TLS 1.0。在备份到我们的 Domino 9.0.1 FP7 服务器后发送电子邮件的 PowerShell 脚本现在失败,并显示
The client and server cannot communicate, because they do not possess a common algorithm
Domino 日志显示
[0B40:000A-09DC] 12/18/2016 07:20:21.57 AM SSLInitContext> User is forcing 0xC3C0A cipher spec bitmask for 9 ciphers
[0B40:000A-09DC] Checking keyfile certificates:
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSLCheckCertChain> Invalid certificate chain received
[0B40:000A-09DC] Cert Chain Evaluation Status: err: 3674, A certificate chain could not be constructed
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_TRUSTPOLICY> bits for signature hashes: 0010
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSLDisableExportCiphers> Disabling weak cipher RSA_WITH_DES_CBC_SHA. Set notes.ini "USE_WEAK_SSL_CIPHERS=1" to re-enable.
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSLDisableExportCiphers> Server key (4096 bits) too strong for EXPORT1024 ciphers. Disabling cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake Enter>> Current Cipher Unknown Cipher (0x0000)
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake> outgoing ->protocolVersion: 0303
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> Enter len = 1
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> Switching Endpoint to sync
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> Posting a nti_rcv for 1 bytes
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_RcvSetup> SSL not init exit
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> Switching Endpoint to async
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> nti_done return 0 bytes rc = 9
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Read> nti_done return 0 bytes rc = 9 Event = 0x400
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal)
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake> Changing SSL status from -6989 to -5000 to flush write queue
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake> After handshake state = SSLErrorClose (2); Status = -5000
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake> Exit Status = -5000
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Handshake Enter>> Current Cipher Unknown Cipher (0x0000)
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM S_Write> Enter len = 7
[0B40:000A-09DC] 12/18/2016 07:20:21.59 AM SSL_Xmt> 00000000: 15 03 03 00 02 02 00
我不确定该问题是否与脚本有关,或者与 Domino 的缺陷有关。
将 UseSSL 设置为 false 将允许连接,但如果其他电子邮件(客户)由于同样的原因被拒绝,而我们直到现在才意识到这一点,则需要解决这个问题。
Domino 服务器在 2008 R2 机器上运行
任何指示都将不胜感激
谢谢
答案1
2008 Server 要求您启用 TLS 1.2 - 您可以添加/编辑注册表项 - 2012 上已经存在该项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
创建新文件夹,
TLS 1.2在其下方添加两个新键。Client
Server新的 DWORD(32 位)
DisabledByDefaultDisabledByDefault 设置为
0创建另一个 DWORD
Enabled。已启用设置为
1
对 Server 项重复上述操作(通过在 Server 项下创建两个 DWORDDisabledByDefault和,以及它们的值)。Enabled
重新启动服务器。
您的服务器现在应该支持 TLS 1.2。
https://support.quovadisglobal.com/kb/a433/how-to-enable-tls-1_2-on-windows-server-2008-r2.aspx