2
SSL issues after server move
Question asked by Robbie Wright - 4/8/2015 at 2:08 PM
Answered
Had SM up and running on IIS with full SSL without issue. Moved to new server, including all the certs, and we're getting this error on TLS negotiation:
 
Cannot convert to SSL (reason: SSL connect attempt failed because of handshake problemserror:00000000:lib(0):func(0):reason(0))
 
Nothing terribly useful online about it. 

5 Replies

Reply to Thread
0
Bruce Barnes Replied
What version of Windows Server?
 
Did you patch registry to enable TLS and add encryption types?
 
See my KB: Maximizing SSL Security for Windows Server 2012 to see changes and access registry downloads which can be imported into registry.  
 
I'm still finalizing the edit of the article, but it's all there.
 
Remember to BACKUP your registry and REBOOT your server after the MERGE/IMPORT.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robbie Wright Replied
Running 2012 R2 on the old server and the new one we just migrated too. Turns out it was the .cer file in the SmarterMail install. For whatever reason, it was unhappy. We reissued the cert for IIS when we moved but didn't update the .cer files in SM, naively thinking they would just work. The solution is to re-export the SSL from IIS and put it in the director for SM to use. I went through, verified the cert for all ports and saved them again. Problem solved. We had already disabled SSL 2 and 3 for POODLE, RC4, etc, but the registry keys are awesome. If I'm ever in Chi-town, you're getting a beer from me. Or 4.
0
Bruce Barnes Replied
Marked As Answer
Thanks, Robbie!  Glad to hear you got it all resolved.
 
I'm going to consider this an answered thread, if that's OK with you?
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robbie Wright Replied
for sure
0
Bassem Rawas Replied
Unfortunately the link to download "LOCAL_MACHINE_POLICIES_MS_CONFIG_SSL_000100022.TXT" is broken. Can you please help get the file?
Thank You

Reply to Thread