TLS handshake fails with downstream MTA after upgrading to 16.0 RU1 and OpenJRE jdk8u352-b08-jre.
search cancel

TLS handshake fails with downstream MTA after upgrading to 16.0 RU1 and OpenJRE jdk8u352-b08-jre.

book

Article ID: 278525

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

The Network Prevent for Email servers encounters a TLS handshake failed error with the downstream MTA and the outbound messages queue up on the Exchange server after upgrading the DLP version from 16.0 to 16.0.1 RU1, and the OpenJRE version upgraded to jdk8u352-b08-jre. 

In the SMTP operation log we see messages like these: 

18/Jan/24:10:10:22:595+0100 [SEVERE] (SMTP_CONNECTION.5208) TLS handshake failed (tid=26 cid=Downstream-83b75939-d94e-4879-af13-992800439a9c local=x.x.xx:x195 remote=192.168.21.6:25 reason=Input record too big: max = 16709 len = 47940)
18/Jan/24:10:10:22:595+0100 [INFO] (SMTP_CONNECTION.5203) Forward connection error (tid=26 cid=Downstream-83b75939-d94e-4879-af13-992800439a9c mta=y.y.y.y:25 reason=Input record too big: max = 16709 len = 47940)

Environment

DLP version 16.0.x

OpenJRE version jdk8u352-b08-jre

Cause

The jdk8u352-b08-jre version automatically enabled TLS 1.3. 

 

Resolution

Disable TLS1.3 as noted here in thid Advisory: 

Advisory: Connectivity issues experienced with OpenJRE 1.8.0_352 and later

 

And secondly noted in this KB:

Article ID: 206991 - Force TLS 1.2 and disable TLS 1.0, 1.1, 1.3 for detection/prevent servers

Powered by Wolken Software