SSLV3 Connections will Fail when FIPS Mode is Enabled and when SMTP Authentication has "Require TLS encryption" Disabled
Last Updated July 07, 2015
FIPS mode is enabled on an Symantec Messaging Gateway (SMG) host. To verify this follow these steps: 1. Login to the CLI command prompt on the SMG scanner host 2. At the prompt enter the following command and press enter fipsmode status 3. If the result is FIPS mode, FIPS is enabled on the scanner host
SMG host is configured to have "Require TLS encryption" is disabled To verify this follow these steps: 1. Login to the SMG Brightmail Control Center (BCC) web UI 2. Click on Administration->Hosts->Configuration 3. Select the affected scanner host and press the Edit Button 4. Click on the SMTP tab 5. Click on the Authentication sub-menu tab 6. In the Authentication Mail Settings section, having the "Require TLS encryption" check-box not having a check mark, indicates this condition.
SSLv3 connections fail to the SMG host. To verify this follow these steps: 1. On a server where openSSL is installed that is not the local scanner host 2. Connect to the scanner host using the following command: openssl s_client -connect <host.scanner.fqdn>:25 -starttls smtp -ssl3
NOTE: in the command above replace <host.scanner.fqdn> with the fully qualified domain name of the scanner host, i.e. scanner01.company.com
3. Seeing an error message similar to the following indicates this condition: Loading 'screen' into random state - done CONNECTED(0000078C) 3400:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:534:
This is expected behavior. Symantec Messaging Gateway does not support SSLv3 connections when FIPS mode is enabled.
When FIPS mode is turned on, even if the Require TLS encryption option is disabled, connections using SSLv3.0 and earlier are not supported. This is as per FIPS 140-2 level 1 requirements. Please see the Symantec Messaging Gateway FIPS 140-2 level 1 Deployment Guide for more information.
Imported Document ID: TECH186251
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe