Mapping Ssl Error 5000 To 4176
Contents |
attempt; connecting via ssl; Mapping SSL error -5000 to 4176 Technote (FAQ) Question An application fails to connect to a Lotus tls/ssl connection failed with rejected sslv2 record Domino server using SSL. This failure could be for any protocol: HTTP,
Failed With Server Certificate Chain Requiring Support For Md5
LDAP, SMTP, etc. The connection might have worked before or the application could be connecting for the first time. If you work with IBM Support to enable debug, such as Debug_SSL_All=1, the following output is observed: 12:28:54.63 PM int_MapSSLError> Mapping SSL error 0 to 0 12:28:54.64 PM SSL_Handshake> Enter 12:28:54.64 PM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher) 12:28:54.64 PM SSL_Handshake> SSL Undetermined attempt 12:28:54.64 PM SSL_Handshake> After handshake state= 11 Status= -5000 12:28:54.64 PM SSL_Handshake> Exit Status = -5000 12:28:54.64 PM int_MapSSLError> Mapping SSL error -5000 to 4176 Answer This error can occur when the connecting application finds one of the following is true about the Domino key ring file: The certificate is stamped by a Certificate Authority that the application does not trust The host name in the certificate does not match the host name used to connect to Domino The certificate has expired To resolve the problem, consider the following options: If the Certificate Authority is not trusted, import the trusted root certificate into the application. If the host name does not match that in the certificate, set the application to connect using the appropriate host name. If the certificate has expired, you might need to replace the certificate with a new certificate with an expiration in the future. For any of the three cases, it may be possible to set the application to accept the certificate despite the apparent problem. Document information More support for: IBM Domino LDAP Software version: 6.5, 7.0, 8.0, 8.5 Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS Software edition: All Editions Reference #: 1198731 Modified date: 10 January 2007 Site availability Site assistance Contact and feedback Need support? Submit feedback to IBM Support 1-800-IBM-7378 (USA) Directory of worldwide contacts Contact Privacy Terms of use Accessibility
Unresolved Topics Author Cloud Alex Zimarev Barry Shapiro Bob McGrath Bradley Ineichen Brandon M Kutsch Carl Tyler Chad Scott Dave Kern Doug Finner Howard D Greenberg Irina Khasin Jay Marme Jean-Pierre Bloch Jenifer P. Kidder Jochen Sack John Paganetti Jon S Albright Mark Gottschalk Mark Taylor Michael Blumentritt Mike Woolsey Okio OL Luna Rob Berendt Rodrigo San Vicente Wongo Wongo New Topic Share ▼ Subscribe ▼ Reply David WorkmanNov 4, 2014 1:14 PM24 Posts Released - Domino server Interim Fixes that implement TLS 1.0 with TLS_FALLBACK_SCSVfor HTTP to protect against the http://www-01.ibm.com/support/docview.wss?uid=swg21198731 POODLE attack.Category: SecurityPlatform: All PlatformsRelease: 9.0.1,9.0Role: Tags: Replies: 60See the following Technote for the latest information: Title: How is IBM Domino impacted by the POODLE attack? Doc #: 1687167 URL: http://www.ibm.com/support/docview.wss?uid=swg21687167 Please refer to the WIKI article cited in the Technote for more information: IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0 Jochen SackNov 5, http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=E614F339E975A7A485257D860064343A 2014 5:08 AM94 PostsThanks for the heads-up, and...I'm glad this took less than two weeks (10/23 - 11/3), instead of "several weeks" as originally announced. Good job! Ronald HoppeNov 5, 2014 10:46 AM26 PostsProblem with TLS1.0 on SMTPToday I have installed the 901FP2HF353 Hotfix. Not for poodle, but we need TLS1.0 Support for securing SMTP. This is working quite fine, Encypted connection using TLS1.0 is established. (SSL_Handshake> Protocol Version = TLS1.0 (0x301)) But the disadvantage is that the domino server doesn't seem to support SSLV3 anymore. Other Servers that only Support SSLV3 get an Error when they try to connect. (4.7.0 TLS handshake failed.) Is it possible to additionally activate SSLV3 Support? Howard D GreenbergNov 5, 2014 10:44 AM78 PostsIt does support SSL V3See http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0 What it turned off was the SSL renegotiation. You can turn that back on with the notes.ini parameter below. SSL renegotiation can be re-enabled with SSL_ENABLE_INSECURE_RENEGOTIATE=1 Howard Ronald HoppeNov 5, 2014 12:06 PM26 PostsThaks for your support but..... it does not work as expected. Still the same error. Dave KernNov 5, 2014 12:39 PM81 PostsPlease set DEBUG_SSL_HANDSHAKE=2 and DEBUG_SSL_CIPHERS=2 in your notes.ini and post the ou... Ronald HoppeNov 6, 2
here for a quick overview of the site Help Center Detailed answers to http://stackoverflow.com/questions/34167733/create-cross-certificate-for-domino-java-agent any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn http://blog.nashcom.de/nashcomblog.nsf/dx/osx-10.11-el-capitan-does-not-only-support-ecdhe-ciphers.htm?opendocument&comments more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community failed with Stack Overflow is a community of 6.2 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up Create cross certificate for Domino Java agent? up vote 2 down vote favorite I am trying to connect to an https enabled web service using a Domino mapping ssl error java agent. It works fine using http but fails on https. I disabled TLS 1.2 (apparently Fix Pack 4 and 5 have a bug with TLS 1.2 and Java). Now I get the following errors... [1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLAdvanceHandshake Exit> State HandshakeCertificate (8) [1034:0007-1164] 12/08/2015 05:44:57.75 PM SSLProcessHandshakeMessage Enter> Message: Certificate (11) State: HandshakeCertificate (8) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014) [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLCheckCertChain> Invalid certificate chain received [1034:0007-1164] Cert Chain Evaluation Status: err: 3659, Cannot establish trust in a certificate or CRL. [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal) [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSLProcessHandshakeMessage Exit> Message: Certificate (11) State: SSLErrorClose (2) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014) [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> Changing SSL status from -6986 to -5000 to flush write queue [1034:0007-1164] 12/08/2015 05:44:57.80 PM SSL_Handshake> After handshake state = SSLErrorClose (2); Status = -5000 [1034:0007-1164] 12/08/2015 05:44:57.
9.0.1 Domino Blog Template Domino8.5 Fixpack Fritzbox Fun IBM ConnectED iNotes iOS iPhone Issue JVM keyring kyrtool Linux LiveText MIME New Technologies News Notes Notes9 notes.ini NSD nshrun Odd Things OSX Performance POODLE private SAI Sametime SAML Scalability Security Server Availability Index SLES SMTP Solaris SPAM SpamGeek SPR Start Script Symphony T-Mobile Tip Tips TLS Tool Traveler Ubuntu Widget Win64 Daniel Nashed's BlogSecurityOSXOSX 10.11 El Capitan does not only support ECDHE CiphersDaniel Nashed 1 October 2015 10:21:45 After updating to OSX 10.11 I did a quick test. It wasn't sure if Apple will only support ECDHE and implementing their new standard ATS. The first tests shows that the current ciphers are there but Apple does even support quite simple ciphers like RSA_WITH_RC4_128_SHA / MD5 as a fall back. But you never know if this is going away in one of the next updates. Here is a trace from against a Domino 9.0.1 FP4 IF2 server. You can see all supported common ciphers and I highlighted the most important parts of the handshake. Happy updating! -- Daniel SSLProcessProtocolMessage> Record Content: Handshake (22) SSLProcessHandshakeMessage Enter> Message: ClientHello (1) State: HandshakeServerIdle (3) Key Exchange: 0 Cipher: Unknown Cipher (0x0000) SSLProcessHandshakeMessage client_hello> SGC FLAG: 0 CTX state = 3 SGCCount = 0 SSLProcessClientHello> clientVersion: 0303 SSLProcessClientHello> SSL/TLS protocol clientVersion 0x0303, serverVersion 0x0303 SSLProcessClientHello> 26 ciphers requested by client SSLProcessClientHello> Client requested TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00FF) SSLProcessClientHello> TLS_EMPTY_RENEGOTIATION_INFO_SCSV found SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC02C) SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B) SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xC024) SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xC023) SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xC00A) SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xC009) SSLProcessClientHello> Client requested ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xC008) SSLProcessClientHello> Clien