SSL issues after server move

Question asked by Robbie Wright - 4/8/2015 at 2:08 PM

Answered

Had SM up and running on IIS with full SSL without issue. Moved to new server, including all the certs, and we're getting this error on TLS negotiation:

Cannot convert to SSL (reason: SSL connect attempt failed because of handshake problemserror:00000000:lib(0):func(0):reason(0))

Nothing terribly useful online about it.

5 Replies

Reply to Thread

Bruce Barnes Replied

4/8/2015 at 2:52 PM

What version of Windows Server?

Did you patch registry to enable TLS and add encryption types?

See my KB: Maximizing SSL Security for Windows Server 2012 to see changes and access registry downloads which can be imported into registry.

I'm still finalizing the edit of the article, but it's all there.

Remember to BACKUP your registry and REBOOT your server after the MERGE/IMPORT.

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Robbie Wright Replied

4/8/2015 at 3:55 PM

Running 2012 R2 on the old server and the new one we just migrated too. Turns out it was the .cer file in the SmarterMail install. For whatever reason, it was unhappy. We reissued the cert for IIS when we moved but didn't update the .cer files in SM, naively thinking they would just work. The solution is to re-export the SSL from IIS and put it in the director for SM to use. I went through, verified the cert for all ports and saved them again. Problem solved. We had already disabled SSL 2 and 3 for POODLE, RC4, etc, but the registry keys are awesome. If I'm ever in Chi-town, you're getting a beer from me. Or 4.