Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 5358 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS Handshake Error

ChrisShopp

Both server certificate and exchange certificate are valid.  OUTBOUND emails that leave our exchange server and go through the SEA work and negotiate TLS correctly.  Also, INBOUND emails from Exchange Online Protection to the SEA are negotiated and encrypted correctly.  INBOUND emails that come to the SEA and are sent to the Exchange server can’t negotiate TLS.

 

TLS library problem: 62534:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:/build/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:726:

 

Any ideas/thoughts?



This thread was automatically locked due to age.
Parents
  • 0

    seems to indicate its trying to establish a tls v2 connection.. the appliance would terminate such a request.

    you could try some forensics on exchange and the appliance to see what each will accept.. 

     

    for example.

    #1

    openssl s_client -showcerts -starttls smtp -crlf -connect IPADDRESS:25 -tls1

    or

    openssl s_client -showcerts -starttls smtp -crlf -connect IPADDRESS:25 -tls1_2

     

    #2

    another easy thing to try is under the appliance encryption "use legacy tls" try enabling that, wait a few mins and see if you still get the errors

     

    #3

    other things that can happen would be something like PIX mailguard on an ASA or similar proxy device may be intercepting the handshake and not forwarding it properly. 

     

     

    that should get you started .. if your still having issues you should open a support case so an engineer can test the downstream connection.  normally the appliance will just blindly relay mail down stream anonymously to exchange. 

Reply
  • 0

    seems to indicate its trying to establish a tls v2 connection.. the appliance would terminate such a request.

    you could try some forensics on exchange and the appliance to see what each will accept.. 

     

    for example.

    #1

    openssl s_client -showcerts -starttls smtp -crlf -connect IPADDRESS:25 -tls1

    or

    openssl s_client -showcerts -starttls smtp -crlf -connect IPADDRESS:25 -tls1_2

     

    #2

    another easy thing to try is under the appliance encryption "use legacy tls" try enabling that, wait a few mins and see if you still get the errors

     

    #3

    other things that can happen would be something like PIX mailguard on an ASA or similar proxy device may be intercepting the handshake and not forwarding it properly. 

     

     

    that should get you started .. if your still having issues you should open a support case so an engineer can test the downstream connection.  normally the appliance will just blindly relay mail down stream anonymously to exchange. 

Children
No Data
Unfiltered HTML