Symantec Messaging Gateway may fail to connect to mail servers utilizing strict TLS version 1 transport encryption.

book

Article ID: 158962

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When Symantec Messaging Gateway connects to a mail server utilizing the TLS version 1 and disallowing SSL version 2 and SSL version 3 "Client Hello"s, the handshake fails and an encrypted connection is not created.

Message Audit Logs or the Delivery Queue may show the following error:

451 4.7.5 [internal] tls negotiation failed

Cause

The TLS and SSL protocols have specific requirements for backwards compatibility that state TLS clients must use the lowest potential protocol for the handshake initiating Client Hello (http://tools.ietf.org/html/rfc5246):

TLS 1.2 clients that wish to support SSL 2.0 servers MUST send
   version 2.0 CLIENT-HELLO messages defined in [SSL2]

However, TLS servers are not bound by this constraint and may or may not accept SSLv2 or SSLv3 Client Hello handhakes. If the TLS server does not accept an SSLv2 or SSLv3 Client Hello the result is a connection failure.

Resolution

This issue has been corrected in version 10.5.3 with the inclusion of an option to disable SSLv3 and lesser protocols. The setting can be found in Protocols > Settings > SMTP :

  • SSL Restrictions: Disable support for SSLv3 and earlier protocols in all SMTP TLS conversations

More information on this setting can be found in KB TECH225622.

 

The Symantec Messaging Gateway prior to version 10.5.3 does not currently initiate a TLSv1 handshake due to backwards compatibility needs, upgrade to correct this issue.