Symantec Messaging Gateway may fail to connect to mail servers utilizing strict TLS version 1 transport encryption.
Last Updated December 18, 2014
When Symantec Messaging Gateway connects to a mail server utilizing the TLS version 1 and disallowing SSL version 2 and SSL version 3 "Client Hello"s, the handshake fails and an encrypted connection is not created.
Message Audit Logs or the Delivery Queue may show the following error:
451 4.7.5 [internal] tls negotiation failed
The TLS and SSL protocols have specific requirements for backwards compatibility that state TLS clients must use the lowest potential protocol for the handshake initiating Client Hello (http://tools.ietf.org/html/rfc5246):
TLS 1.2 clients that wish to support SSL 2.0 servers MUST send
version 2.0 CLIENT-HELLO messages defined in [SSL2]
However, TLS servers are not bound by this constraint and may or may not accept SSLv2 or SSLv3 Client Hello handhakes. If the TLS server does not accept an SSLv2 or SSLv3 Client Hello the result is a connection failure.
This issue has been corrected in version 10.5.3 with the inclusion of an option to disable SSLv3 and lesser protocols. The setting can be found in Protocols > Settings > SMTP :
SSL Restrictions: Disable support for SSLv3 and earlier protocols in all SMTP TLS conversations
More information on this setting can be found in KB TECH225622.
The Symantec Messaging Gateway prior to version 10.5.3 does not currently initiate a TLSv1 handshake due to backwards compatibility needs, upgrade to correct this issue.
Imported Document ID: TECH215003
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe