4
TLS 1.2 ERROR
Question asked by digital.iway - 9/1/2015 at 11:08 AM
Unanswered
I am running SM 14.2.5711 - I have a certificate using SHA2 and  use IIS crypto to enable best practices on my server.  currently I have an "A" rating, but recently I started to get the below error in the system log and I I need some help to see if anyone encounter this before?  
 
 
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
 
 
this seems to be causing CPU spikes and causing the SM app pool to fail making the entire server unresponsive.

17 Replies

Reply to Thread
0
Bruce Barnes Replied
I just checked a couple of the servers we're responsible for which are running the same version of SmarterMail, searching for the same error, and could not replicate the issue you presented.
 
Can you check the FQDN of your SmarterMail server at: https://www.ssllabs.com/ssltest/index.html to make certain you are:
 
  •  running all of the required CIPHERS;
  •  NOT running any of the ciphers which should not be enabled?
 
Basically, all SSL 1.0, 2.0, and 3.0 should be DISABLED - completely - which, based on the nature of your question, I am assuming you have already done.
 
TLS 1.0, 1.1, and 1.2 should be enabled.

These can be saved as .REG files and directly imported into your registry, if necessary.

Remember to
  • MAKE A BACKUP of your registry BEFORE any import, and;
  • REBOOT your server after making the .REG changes.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SaslProfiles]
"GSSAPI"="Kerberos"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RSA 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest]
"UTF8SASL"=dword:00000001
"Debuglevel"=dword:00000000
"UTF8HTTP"=dword:00000001
"Negotiate"=dword:00000001
"DigestEncryptionAlgorithms"="3des,rc4"
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
1
digital.iway Replied
thank you for the reply.

I am running windows 2008 R2 and have an "A" rating from SSL LABS.

I ran IIS CRYPTO and used their "Best Practices" template which disables SSL 1,2,3.

Do you still recommend IIS crypto?

If I run IIS crypto do I need to implement you reg info above?

Should I use their PCI template NOT the "Best Practices"? It seems like the PCI template has more cipher suites selected for TLS
1
Michael Replied
it'd be great to get some official guidance on security / best practices with a Smarter Tools KB Article rather than so many threads in the community. Obviously TLS and encryption are big concerns.
0
Bruce Barnes Replied
I found that IIS crypto doesn't enable all of the ciphers, so I don't use it. Remember, you'll need the latest ciphers, as well as TLS. If you post your SmarterMail FQDN, it will be a lot easier to help you
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
digital.iway Replied
FQDN:    mail.digitaliway.net
let me know the best way to proceed as I really appreciate the help on this.
 
0
Bruce Barnes Replied
As counter-intuitive as this may sound, it appears that you have two encryption keys enabled which should not be enabled:
 
  • TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) and
  • TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
I realize that IIS Crypto may have recommended these, and that is why they were enabled, but they are preventing you from receiving the best possible grade on your encryption, to wit:

here is the encryption score for SECUREMAIL.CHICAGONETTECH.COM:
 
 
 
and here is your score for MAIL.DIGITAIWAY.NET:
 
 
note the lower KEY EXCHANGE score on our test results.
 
During our initial assessment of the required updates to KEYs and CIPHERS, when we were converting from Server 2003 to Server 2008 and Server 2012, we pulled our hair out with both research, tools, and testing, and settled on the two .REG files listed in my prior post as the best possible solution to the updates to the server registries.
 
We vetted Microsoft TechNet, more than 30 security protocol/cipher blogs, and looked at lots of different testing resources and results.

The files can be used with Server 2003, Server 2008, and Server 2012, and in Server 2008 and Server 2012, enable additional PROTOCALS, CIPHERS and SECURITY KEYS.

So, I would recommend that you make a backup copy of your existing registry and then either copy and paste the two file sets shown in my previous post, save them into two .REG files, calling them:
 
"LOCAL_CURRENTCONTROLSET_CONTROL_SECURITYPROVIDERS.reg"
 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SaslProfiles]
"GSSAPI"="Kerberos"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RSA 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest]
"UTF8SASL"=dword:00000001
"Debuglevel"=dword:00000000
"UTF8HTTP"=dword:00000001
"Negotiate"=dword:00000001
"DigestEncryptionAlgorithms"="3des,rc4"
 
and
 
"LOCAL_MACHINE_POLICIES_MS_CONFIG_SSL.reg"
 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
 
Once you have created and saved these files to the SmarterMail SERVER, then RIGHT CLICK on them, one at a time, and MERGE them with your local registry.  REMEMBER TO BACK UP YOUR REGISTRY FIRST!
 
Do this with BOTH files.
 
Accept any prompts and ignore any errors.
 
Then REBOOT and see if the TLS 1.2 errors are gone.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
digital.iway Replied
Ok, I backed up the registry by exporting each branch to a file.
 
created and merged the below: (ignored the error prompt hitting ok)
LOCAL_CURRENTCONTROLSET_CONTROL_SECURITYPROVIDERS.reg
 
created and merged the below: (no error prompt)
LOCAL_MACHINE_POLICIES_MS_CONFIG_SSL.reg
 
Rebooted server.
 
re-tested with SSL labs and test shows no change.
 
I cleared logs and will look for any TLS errors and report back.
 
0
Bruce Barnes Replied
I'm beginning to feel your frustration, digital.iway! 
 
I realize how frustrating these kinds of errors can be, so let's take a look at some other things and see if we can't make this work for you.

I checked your SSL certificate, and the three additional supporting certificates, and they are all valid and good.
 
I ran a test on your domain at:  https://www.checktls.com/perl/TestReceiver.pl using the option of SSL DETAIL.
 
The single not deliverable error is not a problem.

In comparing the results below, to the same test against my e-mail address, the results are virtually identical.

Here are the results:
TestReceiver

CheckTLS Confidence Factor for "test@digitaliway.net": 100

MX Server Pref Con-
nect
All-
owed
Can
Use
TLS
Adv
Cert
OK
TLS
Neg
Sndr
OK
Rcvr
OK
mail.digitaliway.net
[208.75.248.202]
21 OK
(38ms)
OK
(37ms)
OK
(38ms)
OK
(38ms)
OK
(204ms)
OK
(39ms)
OK
(353ms)
FAIL
Average   100% 100% 100% 100% 100% 100% 100% 0%

Note: use the FULL version to test servers with custom IP addresses, ports, authentications, and/or timeouts.

See email policy. We will not use addresses. Use of any test is explicit agreement to Acceptable Use Policy.


Checking test@digitaliway.net

looking up MX hosts on domain "digitaliway.net"

  1. mail.digitaliway.net (preference:21)

 

Trying TLS on mail.digitaliway.net[208.75.248.202] (21):

seconds   test stage and result
[000.038]   Connected to server
[000.075] <-- 220 mail.digitaliway.net
[000.075]   We are allowed to connect
[000.075] --> EHLO checktls.com
[000.113] <-- 250-mail.digitaliway.net Hello [69.61.187.232]
250-SIZE 31457280
250-AUTH LOGIN CRAM-MD5
250-STARTTLS
250-8BITMIME
250 OK
[000.113]   We can use this server
[000.113]   TLS is an option on this server
[000.113] --> STARTTLS
[000.150] <-- 220 Start TLS negotiation
[000.151]   STARTTLS command works on this server
[000.291] ssl : new ctx 140579470891568
: start handshake
: ssl handshake not started
: set socket to non-blocking to enforce timeout=30
: Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: ok=1 cert=140579471860544
: ok=1 cert=140579472277344
: ok=1 cert=140579472270928
: ok=1 cert=140579472250640
: Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: Net::SSLeay::connect -> 1
: ssl handshake done
[000.293]   Cipher in use: ECDHE-RSA-AES256-SHA384
[000.293]   Connection converted to SSL
[000.309]  
Certificate 1 of 4 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number: 6265990149508424421 (0x56f544d7a38be2e5)
  Signature Algorithm: sha256WithRSAEncryption
    Issuer:
      countryName         = US
      stateOrProvinceName     = Arizona
      localityName        = Scottsdale
      organizationName      = Starfield Technologies, Inc.
      organizationalUnitName  = http://certs.starfieldtech.com/repository/
      commonName        = Starfield Secure Certificate Authority - G2
    Validity
      Not Before: Jul 10 17:20:38 2015 GMT
      Not After : Dec 31 18:07:48 2015 GMT
    Subject:
      organizationalUnitName  = Domain Control Validated
      commonName        = mail.digitaliway.net
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:87:d2:fb:23:a9:b9:6d:16:d4:1b:59:73:9f:f7:
          bc:fe:17:f4:f3:0e:f1:15:f4:32:11:cb:e5:c6:b1:
          0a:88:11:f3:cd:07:19:3a:e5:40:9b:f5:50:56:40:
          8a:66:8a:7d:7b:47:18:a0:1f:e0:d6:6d:94:06:fd:
          66:ce:f3:6e:53:85:13:4b:c2:42:23:a5:da:5f:eb:
          77:34:b3:06:c0:08:4f:65:48:78:f6:35:22:da:0c:
          4e:58:bf:20:48:d7:6f:8c:b1:ea:f3:5c:3f:2b:d9:
          6e:16:52:3d:89:cc:65:c7:f8:f5:bd:67:9f:b7:d2:
          d3:05:15:65:c7:f2:74:12:07:95:33:b5:2f:7b:3e:
          79:48:33:15:26:10:0f:76:d4:12:56:c0:f2:e1:dc:
          78:fc:af:f6:54:45:25:b7:c0:0a:ba:6e:2c:73:c6:
          4b:4e:a8:f9:34:43:ab:d0:d6:2b:ec:81:a5:ec:52:
          5a:00:5c:da:31:d3:30:c0:2c:6f:f8:b7:83:ea:8a:
          d7:6b:dd:b9:d3:7c:07:fc:82:79:8a:c4:24:b2:b3:
          58:6b:f4:d7:a2:4e:73:84:52:6e:b2:7c:0c:29:07:
          a5:20:d3:b5:6a:f0:0c:f2:b9:bb:19:d8:23:bf:6f:
          56:66:d7:04:29:cd:32:47:3f:0e:32:e2:54:89:9e:
          c3:7d
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 CRL Distribution Points: 
        Full Name:
          URI:http://crl.starfieldtech.com/sfig2s1-13.crl
      X509v3 Certificate Policies: 
        Policy: 2.16.840.1.114414.1.7.23.1
          CPS: http://certificates.starfieldtech.com/repository/
      Authority Information Access: 
        OCSP - URI:http://ocsp.starfieldtech.com/
        CA Issuers - URI:http://certificates.starfieldtech.com/repository/sfig2.crt
      X509v3 Authority Key Identifier: 
        keyid:25:45:81:68:50:26:38:3D:3B:2D:2C:BE:CD:6A:D9:B6:3D:B3:66:63
      X509v3 Subject Alternative Name: 
        DNS:mail.digitaliway.net, DNS:www.mail.digitaliway.net, DNS:autodiscover.digitaliway.net, DNS:pop.digitaliway.net, DNS:imap.digitaliway.net, DNS:mail.digitaliway.net, DNS:smtp.digitaliway.net
      X509v3 Subject Key Identifier: 
        2B:D5:FB:90:C0:EE:91:CA:FE:1F:78:C6:24:F4:6B:88:6E:60:3C:24
  Signature Algorithm: sha256WithRSAEncryption
     e0:6a:37:3a:93:fa:39:5f:b1:16:47:ef:65:34:62:8b:38:22:
     f3:ed:41:13:94:c3:91:2e:3e:37:2a:72:6f:29:67:77:96:d9:
     c0:2e:5e:8e:ac:9b:82:1a:d7:32:f0:51:d3:76:ef:22:25:3d:
     b5:23:3b:8c:e0:69:c8:26:1a:fe:d5:c9:d7:b4:75:e8:b5:6e:
     3b:f4:eb:19:b9:f4:bb:5a:30:7c:e0:bb:af:f9:1a:6f:ff:49:
     5c:ee:c0:fe:50:70:9d:a6:61:8f:b2:8b:2b:ab:55:d9:36:c8:
     54:61:ac:5c:02:87:a6:59:6d:2a:02:6a:e8:3e:59:e7:a3:b3:
     08:ab:db:e4:b4:34:37:70:30:d3:ee:25:78:97:13:11:a4:bc:
     39:82:86:ac:c1:af:67:ab:3c:12:8e:cc:3f:56:b9:45:e7:f8:
     8b:8b:97:da:d6:ab:b6:ca:37:7c:32:38:f7:9d:e1:c7:13:d6:
     11:fd:c5:6b:23:fd:26:94:2f:a6:65:12:77:fc:1a:55:b6:c7:
     a0:b9:f6:ec:39:d5:c8:b3:48:d0:8b:0f:e7:65:da:10:87:a2:
     08:8f:04:c9:d6:d4:ab:e7:77:0c:ee:9b:3d:50:9e:e6:85:31:
     fc:71:39:d8:92:20:ba:35:d0:ae:b6:1b:cf:d9:52:d3:ad:50:
     8c:1b:b8:fe
-----BEGIN CERTIFICATE-----
MIIF3zCCBMegAwIBAgIIVvVE16OL4uUwDQYJKoZIhvcNAQELBQAwgcYxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUw
IwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypo
dHRwOi8vY2VydHMuc3RhcmZpZWxkdGVjaC5jb20vcmVwb3NpdG9yeS8xNDAyBgNV
BAMTK1N0YXJmaWVsZCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIw
HhcNMTUwNzEwMTcyMDM4WhcNMTUxMjMxMTgwNzQ4WjBCMSEwHwYDVQQLExhEb21h
aW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAMTFG1haWwuZGlnaXRhbGl3YXku
bmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh9L7I6m5bRbUG1lz
n/e8/hf08w7xFfQyEcvlxrEKiBHzzQcZOuVAm/VQVkCKZop9e0cYoB/g1m2UBv1m
zvNuU4UTS8JCI6XaX+t3NLMGwAhPZUh49jUi2gxOWL8gSNdvjLHq81w/K9luFlI9
icxlx/j1vWeft9LTBRVlx/J0EgeVM7Uvez55SDMVJhAPdtQSVsDy4dx4/K/2VEUl
t8AKum4sc8ZLTqj5NEOr0NYr7IGl7FJaAFzaMdMwwCxv+LeD6orXa92503wH/IJ5
isQksrNYa/TXok5zhFJusnwMKQelINO1avAM8rm7Gdgjv29WZtcEKc0yRz8OMuJU
iZ7DfQIDAQABo4ICUjCCAk4wDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDwGA1UdHwQ1MDMwMaAvoC2G
K2h0dHA6Ly9jcmwuc3RhcmZpZWxkdGVjaC5jb20vc2ZpZzJzMS0xMy5jcmwwWQYD
VR0gBFIwUDBOBgtghkgBhv1uAQcXATA/MD0GCCsGAQUFBwIBFjFodHRwOi8vY2Vy
dGlmaWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvMIGCBggrBgEF
BQcBAQR2MHQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9vY3NwLnN0YXJmaWVsZHRlY2gu
Y29tLzBGBggrBgEFBQcwAoY6aHR0cDovL2NlcnRpZmljYXRlcy5zdGFyZmllbGR0
ZWNoLmNvbS9yZXBvc2l0b3J5L3NmaWcyLmNydDAfBgNVHSMEGDAWgBQlRYFoUCY4
PTstLL7Natm2PbNmYzCBsAYDVR0RBIGoMIGlghRtYWlsLmRpZ2l0YWxpd2F5Lm5l
dIIYd3d3Lm1haWwuZGlnaXRhbGl3YXkubmV0ghxhdXRvZGlzY292ZXIuZGlnaXRh
bGl3YXkubmV0ghNwb3AuZGlnaXRhbGl3YXkubmV0ghRpbWFwLmRpZ2l0YWxpd2F5
Lm5ldIIUbWFpbC5kaWdpdGFsaXdheS5uZXSCFHNtdHAuZGlnaXRhbGl3YXkubmV0
MB0GA1UdDgQWBBQr1fuQwO6Ryv4feMYk9GuIbmA8JDANBgkqhkiG9w0BAQsFAAOC
AQEA4Go3OpP6OV+xFkfvZTRiizgi8+1BE5TDkS4+Nypybylnd5bZwC5ejqybghrX
MvBR03bvIiU9tSM7jOBpyCYa/tXJ17R16LVuO/TrGbn0u1owfOC7r/kab/9JXO7A
/lBwnaZhj7KLK6tV2TbIVGGsXAKHplltKgJq6D5Z56OzCKvb5LQ0N3Aw0+4leJcT
EaS8OYKGrMGvZ6s8Eo7MP1a5Ref4i4uX2tartso3fDI4953hxxPWEf3FayP9JpQv
pmUSd/waVbbHoLn27DnVyLNI0IsP52XaEIeiCI8EydbUq+d3DO6bPVCe5oUx/HE5
2JIgujXQrrYbz9lS061QjBu4/g==
-----END CERTIFICATE-----                                                                                                                                                                                                                                                                                                            
[000.324]  
Certificate 2 of 4 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number: 7 (0x7)
  Signature Algorithm: sha256WithRSAEncryption
    Issuer:
      countryName         = US
      stateOrProvinceName     = Arizona
      localityName        = Scottsdale
      organizationName      = Starfield Technologies, Inc.
      commonName        = Starfield Root Certificate Authority - G2
    Validity
      Not Before: May  3 07:00:00 2011 GMT
      Not After : May  3 07:00:00 2031 GMT
    Subject:
      countryName         = US
      stateOrProvinceName     = Arizona
      localityName        = Scottsdale
      organizationName      = Starfield Technologies, Inc.
      organizationalUnitName  = http://certs.starfieldtech.com/repository/
      commonName        = Starfield Secure Certificate Authority - G2
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:e5:90:66:4b:ec:f9:46:71:a9:20:83:be:e9:6c:
          bf:4a:c9:48:69:81:75:4e:6d:24:f6:cb:17:13:f8:
          b0:71:59:84:7a:6b:2b:85:a4:34:b5:16:e5:cb:cc:
          e9:41:70:2c:a4:2e:d6:fa:32:7d:e1:a8:de:94:10:
          ac:31:c1:c0:d8:6a:ff:59:27:ab:76:d6:fc:0b:74:
          6b:b8:a7:ae:3f:c4:54:f4:b4:31:44:dd:93:56:8c:
          a4:4c:5e:9b:89:cb:24:83:9b:e2:57:7d:b7:d8:12:
          1f:c9:85:6d:f4:d1:80:f1:50:9b:87:ae:d4:0b:10:
          05:fb:27:ba:28:6d:17:e9:0e:d6:4d:b9:39:55:06:
          ff:0a:24:05:7e:2f:c6:1d:72:6c:d4:8b:29:8c:57:
          7d:da:d9:eb:66:1a:d3:4f:a7:df:7f:52:c4:30:c5:
          a5:c9:0e:02:c5:53:bf:77:38:68:06:24:c3:66:c8:
          37:7e:30:1e:45:71:23:35:ff:90:d8:2a:9d:8d:e7:
          b0:92:4d:3c:7f:2a:0a:93:dc:cd:16:46:65:f7:60:
          84:8b:76:4b:91:27:73:14:92:e0:ea:ee:8f:16:ea:
          8d:0e:3e:76:17:bf:7d:89:80:80:44:43:e7:2d:e0:
          43:09:75:da:36:e8:ad:db:89:3a:f5:5d:12:8e:23:
          04:83
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Basic Constraints: critical
        CA:TRUE
      X509v3 Key Usage: critical
        Certificate Sign, CRL Sign
      X509v3 Subject Key Identifier: 
        25:45:81:68:50:26:38:3D:3B:2D:2C:BE:CD:6A:D9:B6:3D:B3:66:63
      X509v3 Authority Key Identifier: 
        keyid:7C:0C:32:1F:A7:D9:30:7F:C4:7D:68:A3:62:A8:A1:CE:AB:07:5B:27
      Authority Information Access: 
        OCSP - URI:http://ocsp.starfieldtech.com/
      X509v3 CRL Distribution Points: 
        Full Name:
          URI:http://crl.starfieldtech.com/sfroot-g2.crl
      X509v3 Certificate Policies: 
        Policy: X509v3 Any Policy
          CPS: https://certs.starfieldtech.com/repository/
  Signature Algorithm: sha256WithRSAEncryption
     56:65:ca:fe:f3:3f:0a:a8:93:8b:18:c7:de:43:69:13:34:20:
     be:4e:5f:78:a8:6b:9c:db:6a:4d:41:db:c1:13:ec:dc:31:00:
     22:5e:f7:00:9e:0c:e0:34:65:34:f9:b1:3a:4e:48:c8:12:81:
     88:5c:5b:3e:08:53:7a:f7:1a:64:df:b8:50:61:cc:53:51:40:
     29:4b:c2:f4:ae:3a:5f:e4:ca:ad:26:cc:4e:61:43:e5:fd:57:
     a6:37:70:ce:43:2b:b0:94:c3:92:e9:e1:5f:aa:10:49:b7:69:
     e4:e0:d0:1f:64:a4:2b:cd:1f:6f:a0:f8:84:24:18:ce:79:3d:
     a9:91:bf:54:18:13:89:99:54:11:0d:55:c5:26:0b:79:4f:5a:
     1c:6e:f9:63:db:14:80:a4:07:ab:fa:b2:a5:b9:88:dd:91:fe:
     65:3b:a4:a3:79:be:89:4d:e1:d0:b0:f4:c8:17:0c:0a:96:14:
     7c:09:b7:6c:e1:c2:d8:55:d4:18:a0:aa:41:69:70:24:a3:b9:
     ef:e9:5a:dc:3e:eb:94:4a:f0:b7:de:5f:0e:76:fa:fb:fb:69:
     03:45:40:50:ee:72:0c:a4:12:86:81:cd:13:d1:4e:c4:3c:ca:
     4e:0d:d2:26:f1:00:b7:b4:a6:a2:e1:6e:7a:81:fd:30:ac:7a:
     1f:c7:59:7b
-----BEGIN CERTIFICATE-----
MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAw
MFoXDTMxMDUwMzA3MDAwMFowgcYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
aG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydHMuc3RhcmZpZWxk
dGVjaC5jb20vcmVwb3NpdG9yeS8xNDAyBgNVBAMTK1N0YXJmaWVsZCBTZWN1cmUg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDlkGZL7PlGcakgg77pbL9KyUhpgXVObST2yxcT+LBxWYR6ayuF
pDS1FuXLzOlBcCykLtb6Mn3hqN6UEKwxwcDYav9ZJ6t21vwLdGu4p64/xFT0tDFE
3ZNWjKRMXpuJyySDm+JXfbfYEh/JhW300YDxUJuHrtQLEAX7J7oobRfpDtZNuTlV
Bv8KJAV+L8YdcmzUiymMV33a2etmGtNPp99/UsQwxaXJDgLFU793OGgGJMNmyDd+
MB5FcSM1/5DYKp2N57CSTTx/KgqT3M0WRmX3YISLdkuRJ3MUkuDq7o8W6o0OPnYX
v32JgIBEQ+ct4EMJddo26K3biTr1XRKOIwSDAgMBAAGjggEsMIIBKDAPBgNVHRMB
Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUJUWBaFAmOD07LSy+
zWrZtj2zZmMwHwYDVR0jBBgwFoAUfAwyH6fZMH/EfWijYqihzqsHWycwOgYIKwYB
BQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNo
LmNvbS8wOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zdGFyZmllbGR0ZWNo
LmNvbS9zZnJvb3QtZzIuY3JsMEwGA1UdIARFMEMwQQYEVR0gADA5MDcGCCsGAQUF
BwIBFitodHRwczovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQBWZcr+8z8KqJOLGMfeQ2kTNCC+Tl94qGuc22pN
QdvBE+zcMQAiXvcAngzgNGU0+bE6TkjIEoGIXFs+CFN69xpk37hQYcxTUUApS8L0
rjpf5MqtJsxOYUPl/VemN3DOQyuwlMOS6eFfqhBJt2nk4NAfZKQrzR9voPiEJBjO
eT2pkb9UGBOJmVQRDVXFJgt5T1ocbvlj2xSApAer+rKluYjdkf5lO6Sjeb6JTeHQ
sPTIFwwKlhR8Cbds4cLYVdQYoKpBaXAko7nv6VrcPuuUSvC33l8Odvr7+2kDRUBQ
7nIMpBKGgc0T0U7EPMpODdIm8QC3tKai4W56gf0wrHofx1l7
-----END CERTIFICATE-----                                                                                                                                                                                                                                                                                                              
[000.338]  
Certificate 3 of 4 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number: 3740804 (0x391484)
  Signature Algorithm: sha256WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Starfield Technologies, Inc.
      organizationalUnitName  = Starfield Class 2 Certification Authority
    Validity
      Not Before: Jan  1 07:00:00 2014 GMT
      Not After : May 30 07:00:00 2031 GMT
    Subject:
      countryName         = US
      stateOrProvinceName     = Arizona
      localityName        = Scottsdale
      organizationName      = Starfield Technologies, Inc.
      commonName        = Starfield Root Certificate Authority - G2
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:bd:ed:c1:03:fc:f6:8f:fc:02:b1:6f:5b:9f:48:
          d9:9d:79:e2:a2:b7:03:61:56:18:c3:47:b6:d7:ca:
          3d:35:2e:89:43:f7:a1:69:9b:de:8a:1a:fd:13:20:
          9c:b4:49:77:32:29:56:fd:b9:ec:8c:dd:22:fa:72:
          dc:27:61:97:ee:f6:5a:84:ec:6e:19:b9:89:2c:dc:
          84:5b:d5:74:fb:6b:5f:c5:89:a5:10:52:89:46:55:
          f4:b8:75:1c:e6:7f:e4:54:ae:4b:f8:55:72:57:02:
          19:f8:17:71:59:eb:1e:28:07:74:c5:9d:48:be:6c:
          b4:f4:a4:b0:f3:64:37:79:92:c0:ec:46:5e:7f:e1:
          6d:53:4c:62:af:cd:1f:0b:63:bb:3a:9d:fb:fc:79:
          00:98:61:74:cf:26:82:40:63:f3:b2:72:6a:19:0d:
          99:ca:d4:0e:75:cc:37:fb:8b:89:c1:59:f1:62:7f:
          5f:b3:5f:65:30:f8:a7:b7:4d:76:5a:1e:76:5e:34:
          c0:e8:96:56:99:8a:b3:f0:7f:a4:cd:bd:dc:32:31:
          7c:91:cf:e0:5f:11:f8:6b:aa:49:5c:d1:99:94:d1:
          a2:e3:63:5b:09:76:b5:56:62:e1:4b:74:1d:96:d4:
          26:d4:08:04:59:d0:98:0e:0e:e6:de:fc:c3:ec:1f:
          90:f1
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Basic Constraints: critical
        CA:TRUE
      X509v3 Key Usage: critical
        Certificate Sign, CRL Sign
      X509v3 Subject Key Identifier: 
        7C:0C:32:1F:A7:D9:30:7F:C4:7D:68:A3:62:A8:A1:CE:AB:07:5B:27
      X509v3 Authority Key Identifier: 
        keyid:BF:5F:B7:D1:CE:DD:1F:86:F4:5B:55:AC:DC:D7:10:C2:0E:A9:88:E7
      Authority Information Access: 
        OCSP - URI:http://ocsp.starfieldtech.com/
      X509v3 CRL Distribution Points: 
        Full Name:
          URI:http://crl.starfieldtech.com/sfroot.crl
      X509v3 Certificate Policies: 
        Policy: X509v3 Any Policy
          CPS: https://certs.starfieldtech.com/repository/
  Signature Algorithm: sha256WithRSAEncryption
     85:63:c1:d9:dd:b9:ff:a9:bd:a6:19:dc:bf:13:3a:11:38:22:
     54:b1:ac:05:10:fb:7c:b3:96:3f:31:8b:66:ff:88:f3:e1:bf:
     fb:c7:1f:00:ff:46:6a:8b:61:32:c9:01:51:76:fb:9a:c6:fa:
     20:51:c8:46:c4:98:d7:79:a3:e3:04:72:3f:8b:4d:34:53:67:
     ec:33:2c:7b:e8:94:01:28:7c:3a:34:5b:02:77:16:8d:40:25:
     33:b0:bc:6c:97:d7:05:7a:ff:8c:85:ce:6f:a0:53:00:17:6e:
     1e:6c:bd:22:d7:0a:88:37:f6:7d:eb:99:41:ef:27:cb:8c:60:
     6b:4c:01:7e:65:50:0b:4f:b8:95:9a:9a:6e:34:fd:73:3a:33:
     f1:91:d5:f3:4e:2d:74:e8:ef:d3:90:35:f1:06:68:64:d4:d0:
     13:fd:52:d3:c6:6d:c1:3a:8a:31:dd:05:26:35:4a:8c:65:b8:
     52:6b:81:ec:d2:9c:b5:34:10:97:9c:3e:c6:2f:ed:8e:42:42:
     24:2e:e9:73:9a:25:f9:11:f1:f2:23:69:cb:e5:94:69:a0:d2:
     dc:b0:fc:44:89:ac:17:a8:cc:d5:37:77:16:c5:80:b9:0c:8f:
     57:02:55:99:85:7b:49:f0:2e:5b:a0:c2:57:53:5d:a2:e8:a6:
     37:c3:01:fa
-----BEGIN CERTIFICATE-----
MIIEoDCCA4igAwIBAgIDORSEMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAYTAlVT
MSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIwMAYDVQQL
EylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0x
NDAxMDEwNzAwMDBaFw0zMTA1MzAwNzAwMDBaMIGPMQswCQYDVQQGEwJVUzEQMA4G
A1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTElMCMGA1UEChMcU3Rh
cmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UEAxMpU3RhcmZpZWxkIFJv
b3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC97cED/PaP/AKxb1ufSNmdeeKitwNhVhjDR7bXyj01LolD
96Fpm96KGv0TIJy0SXcyKVb9ueyM3SL6ctwnYZfu9lqE7G4ZuYks3IRb1XT7a1/F
iaUQUolGVfS4dRzmf+RUrkv4VXJXAhn4F3FZ6x4oB3TFnUi+bLT0pLDzZDd5ksDs
Rl5/4W1TTGKvzR8LY7s6nfv8eQCYYXTPJoJAY/OycmoZDZnK1A51zDf7i4nBWfFi
f1+zX2Uw+Ke3TXZaHnZeNMDollaZirPwf6TNvdwyMXyRz+BfEfhrqklc0ZmU0aLj
Y1sJdrVWYuFLdB2W1CbUCARZ0JgODube/MPsH5DxAgMBAAGjggEpMIIBJTAPBgNV
HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUfAwyH6fZMH/E
fWijYqihzqsHWycwHwYDVR0jBBgwFoAUv1+30c7dH4b0W1Ws3NcQwg6piOcwOgYI
KwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFyZmllbGR0
ZWNoLmNvbS8wOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5zdGFyZmllbGR0
ZWNoLmNvbS9zZnJvb3QuY3JsMEwGA1UdIARFMEMwQQYEVR0gADA5MDcGCCsGAQUF
BwIBFitodHRwczovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQCFY8HZ3bn/qb2mGdy/EzoROCJUsawFEPt8s5Y/
MYtm/4jz4b/7xx8A/0Zqi2EyyQFRdvuaxvogUchGxJjXeaPjBHI/i000U2fsMyx7
6JQBKHw6NFsCdxaNQCUzsLxsl9cFev+Mhc5voFMAF24ebL0i1wqIN/Z965lB7yfL
jGBrTAF+ZVALT7iVmppuNP1zOjPxkdXzTi106O/TkDXxBmhk1NAT/VLTxm3BOoox
3QUmNUqMZbhSa4Hs0py1NBCXnD7GL+2OQkIkLulzmiX5EfHyI2nL5ZRpoNLcsPxE
iawXqMzVN3cWxYC5DI9XAlWZhXtJ8C5boMJXU12i6KY3wwH6
-----END CERTIFICATE-----                                                                                                                                                                                                                                                                                                                
[000.354]  
Certificate 4 of 4 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number: 0 (0x0)
  Signature Algorithm: sha1WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Starfield Technologies, Inc.
      organizationalUnitName  = Starfield Class 2 Certification Authority
    Validity
      Not Before: Jun 29 17:39:16 2004 GMT
      Not After : Jun 29 17:39:16 2034 GMT
    Subject:
      countryName         = US
      organizationName      = Starfield Technologies, Inc.
      organizationalUnitName  = Starfield Class 2 Certification Authority
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:b7:32:c8:fe:e9:71:a6:04:85:ad:0c:11:64:df:
          ce:4d:ef:c8:03:18:87:3f:a1:ab:fb:3c:a6:9f:f0:
          c3:a1:da:d4:d8:6e:2b:53:90:fb:24:a4:3e:84:f0:
          9e:e8:5f:ec:e5:27:44:f5:28:a6:3f:7b:de:e0:2a:
          f0:c8:af:53:2f:9e:ca:05:01:93:1e:8f:66:1c:39:
          a7:4d:fa:5a:b6:73:04:25:66:eb:77:7f:e7:59:c6:
          4a:99:25:14:54:eb:26:c7:f3:7f:19:d5:30:70:8f:
          af:b0:46:2a:ff:ad:eb:29:ed:d7:9f:aa:04:87:a3:
          d4:f9:89:a5:34:5f:db:43:91:82:36:d9:66:3c:b1:
          b8:b9:82:fd:9c:3a:3e:10:c8:3b:ef:06:65:66:7a:
          9b:19:18:3d:ff:71:51:3c:30:2e:5f:be:3d:77:73:
          b2:5d:06:6c:c3:23:56:9a:2b:85:26:92:1c:a7:02:
          b3:e4:3f:0d:af:08:79:82:b8:36:3d:ea:9c:d3:35:
          b3:bc:69:ca:f5:cc:9d:e8:fd:64:8d:17:80:33:6e:
          5e:4a:5d:99:c9:1e:87:b4:9d:1a:c0:d5:6e:13:35:
          23:5e:df:9b:5f:3d:ef:d6:f7:76:c2:ea:3e:bb:78:
          0d:1c:42:67:6b:04:d8:f8:d6:da:6f:8b:f2:44:a0:
          01:ab
        Exponent: 3 (0x3)
    X509v3 extensions:
      X509v3 Subject Key Identifier: 
        BF:5F:B7:D1:CE:DD:1F:86:F4:5B:55:AC:DC:D7:10:C2:0E:A9:88:E7
      X509v3 Authority Key Identifier: 
        keyid:BF:5F:B7:D1:CE:DD:1F:86:F4:5B:55:AC:DC:D7:10:C2:0E:A9:88:E7
        DirName:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
        serial:00
      X509v3 Basic Constraints: 
        CA:TRUE
  Signature Algorithm: sha1WithRSAEncryption
     05:9d:3f:88:9d:d1:c9:1a:55:a1:ac:69:f3:f3:59:da:9b:01:
     87:1a:4f:57:a9:a1:79:09:2a:db:f7:2f:b2:1e:cc:c7:5e:6a:
     d8:83:87:a1:97:ef:49:35:3e:77:06:41:58:62:bf:8e:58:b8:
     0a:67:3f:ec:b3:dd:21:66:1f:c9:54:fa:72:cc:3d:4c:40:d8:
     81:af:77:9e:83:7a:bb:a2:c7:f5:34:17:8e:d9:11:40:f4:fc:
     2c:2a:4d:15:7f:a7:62:5d:2e:25:d3:00:0b:20:1a:1d:68:f9:
     17:b8:f4:bd:8b:ed:28:59:dd:4d:16:8b:17:83:c8:b2:65:c7:
     2d:7a:a5:aa:bc:53:86:6d:dd:57:a4:ca:f8:20:41:0b:68:f0:
     f4:fb:74:be:56:5d:7a:79:f5:f9:1d:85:e3:2d:95:be:f5:71:
     90:43:cc:8d:1f:9a:00:0a:87:29:e9:55:22:58:00:23:ea:e3:
     12:43:29:5b:47:08:dd:8c:41:6a:65:06:a8:e5:21:aa:41:b4:
     95:21:95:b9:7d:d1:34:ab:13:d6:ad:bc:dc:e2:3d:39:cd:bd:
     3e:75:70:a1:18:59:03:c9:22:b4:8f:9c:d5:5e:2a:d7:a5:b6:
     d4:0a:6d:f8:b7:40:11:46:9a:1f:79:0e:62:bf:0f:97:ec:e0:
     2f:1f:17:94
-----BEGIN CERTIFICATE-----
MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE
ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp
ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf
8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN
+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0
X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa
K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA
1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G
A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR
zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0
YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD
bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3
L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D
eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl
xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp
VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY
WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=
-----END CERTIFICATE-----                                                                                                                                                                                                                                                                                                                  
[000.354]   Cert VALIDATED: ok
[000.354] ssl : scheme=ldap cert=140579472250640
: identity=mail.digitaliway.net cn=mail.digitaliway.net alt=2 mail.digitaliway.net 2 www.mail.digitaliway.net 2 autodiscover.digitaliway.net 2 pop.digitaliway.net 2 imap.digitaliway.net 2 mail.digitaliway.net 2 smtp.digitaliway.net
[000.354]   Cert Hostname VERIFIED (mail.digitaliway.net = mail.digitaliway.net)
[000.355] ~~> EHLO checktls.com
[000.356] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1882
partial `EHLO checktls.com
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1885
written so far 19:19 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 2004
[000.393] ssl got `250 OK
' (8:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/debug_read.al) line 1829
[000.394] <~~ 250-mail.digitaliway.net Hello [69.61.187.232]
250-SIZE 31457280
250-AUTH LOGIN CRAM-MD5
250-8BITMIME
250 OK
[000.394]   TLS successfully started on this server
[000.394] ~~> MAIL FROM:<test@checktls.com>
[000.395] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1882
partial `MAIL FROM:
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1885
written so far 31:31 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 2004
[000.746] ssl got `250 OK Sender ok
' (38:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/debug_read.al) line 1829
[000.746] <~~ 250 OK <test@checktls.com> Sender ok
[000.747]   Sender is OK
[000.747] ~~> RCPT TO:<test@digitaliway.net>
[000.747] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1882
partial `RCPT TO:
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1885
written so far 32:32 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 2004
[000.785] ssl got `550 No such user here
' (46:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/debug_read.al) line 1829
[000.785] <~~ 550 <test@digitaliway.net> No such user here
[000.785]   Cannot proof e-mail address (reason: RCPT TO rejected)
[000.785]   Note: This does not affect the CheckTLS Confidence Factor
[000.786] ~~> QUIT
[000.786] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1882
partial `QUIT
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 1885
written so far 6:6 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 2004
[000.823] ssl got `221 Service closing transmission channel
' (42:0 bytes, VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/debug_read.al) line 1829
[000.824] <~~ 221 Service closing transmission channel
[000.825] ssl : free ctx 140579470891568 open=140579470891568
: free ctx 140579470891568 callback
: OK free ctx 140579470891568

First, I would like to ask you to send me a direct e-mail to support@chicagonettech.com.  If you are working properly, I will see the TLS 1.2 in the e-mail headers.
 
Next, please go through the following procedure:
 
So, if you still have your original SmarterMail installation file, can you please RIGHT CLICK on the file name, select the PROPERTIES tab, open the DETAILS tab and then take a look at the FILE VERSION number.
 
Please make certain:
 
  • it matches "14.2.5711.24718";
  • and that the file size is 55.4 MB
  • along with the other data shown in the image below:
 
SmarterMail 14.2.5711.24718 file characteristics
SmarterMail 14.2.5711.24718 file characteristics
 
Next, I'd like you to take a look at how your PORTS are setup in SmarterMail.
 
Please make certain you have the following ports built and mapped to the IP ADDRESS of 208.75.248.202
 
Note you may not have the XMPP ports built, but all of the others should be built as shown.
 
SmarterMail SSL and TLS Ports Built
SmarterMail SSL and TLS Ports Built
 
Make certain you have:
 
  • SMTP TLS on PORT 25, as TLS, and that the CER FILE validates properly when you test;
  • POP TLS on PORT 110, as TLS, and that the CER FILE validates properly when you test;
  • IMAP TLS on PORT 143, as TLS, and that the CER FILE validates properly when you test;
  • SMTP SSL, on PORT 465, as SSL, and that the CER FILE validates properly when you test;
  • SUBMISSION TLS on PORT 587, and that the CER FILE validates properly when you test;
  • IMAP SSL, on PORT 993, and that the CER FILE validates properly when you test;
  • POP SSL, on PORT 995, and that the CER FILE validates properly when you test;
 
Now, make certain you have them all MAPPED to the IP ADDRESS: 208.75.248.202.  I use the FQDN in the mapping description box for purposes of identifying the mapping.
 
SmarterMail SSL/TLS PORT to IP ADDRESS Mapping
SmarterMail SSL/TLS PORT to IP ADDRESS Mapping
 
Now make certain you have the FQDN of your SmarterMail server mapped to the IP ADDRESS:
 
SmarterMail FQDN to IP ADDRESS Mapping Example
SmarterMail FQDN to IP ADDRESS Mapping Example
Now please check to make certain that the OUTBOUND IPV4 ADDRESS for the DOMAIN NAME "MAIL.DIGITALIWAY.NET" is set to EITHER "208.75.248.202" or to the PRIVATE IP ADDRESS which is mapped to the PUBLIC IP address of "208.75.248.202:" in your DOMAIN EDIT settings, AND that you have OUTBOUND IPV6 ADDRESS set to DISABLED:
 
DOMAIN IPV4/IPV6 Outbound IP Address Settings
DOMAIN IPV4/IPV6 Outbound IP Address Settings
 
and finally, please check your SETTINGS, PROTOCAL SETTINGS, SMTP OUT settings setup to point to either your PUBLIC IP ADDRESS of "208.75.248.202", or to the PRIVATE IP ADDRESS which is mapped, through your router, to your public IP address:
 
Outbound IPv4 IP Address Settings
Outbound IPv4 IP Address Settings
 
Make certain you DO NOT have ENABLE PRIMARY IP ON FAILURE checked.  That will cause non-delivery errors if the primary IP address goes down.
 
Once these have been checked, and, as necessary, updated, please monitor your SMTP logs for TLS errors.
 
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
digital.iway Replied
I do not have the original install file, but I did verify the latest build in the webmail interface.  Do you think I need to do a full uninstall, reboot then reinstall?
 
 
I checked all port mapping and I matched yours verifying the cert for each one with one exception: I have an additional SMTP port not sure if it is needed but I do have clients accessing on 587 see below for how I set it up.  Would I need to set that up as SMTP TLS 587 also?

Protocol: SMTP

Encryption: NON

Name: SMTP ALT

Port: 587

Description: SMTP ALTERNATIVE PORT

 
 
I went to the domain and did an edit going to > technical > Outbound IPv4 (it was unassigned) so I assigned it.  Outbound IPv6 was unassigned so I disabled it.
 
All my domains have Outbound IPv4 and Outbound IPv6 unassigned ( I see no way to propagate IPV4 and IPV6 settings unless unassigned means server default for protocol settings?
 
 
protocol settings IPv4 was set to the ip and IPV6 was enabled so I disabled it
 
 
Enable primary IP on failure was on so I disabled it
 
I restarted the SM service just in case, cleared the event viewer and now will report back.
 
 
 
 
 

 

0
digital.iway Replied
just checked the log and TLS errors remain
 
 
Starts with this TLS 1 error below then has over 100 errors in 1 minute after and are combinations of TLS 1 and 2 with internal error states:
 
 
 
An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
 
 

The following fatal alert was generated: 40. The internal error state is 1205.

 

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

0
Bruce Barnes Replied
Received your e-mail and responding with a copy of the message header.
 
Header of message which I received from you clearly shows that TLS 1.2 was used to send message:
 
Return-Path: <REDACTED@digitaliway.com>
Received: from mail.digitaliway.net (mail.digitaliway.net [208.75.248.202]) by securemail.chicagonettech.com with SMTP
                (version=TLS\Tls12 <=== SmarterMail shows that TLS 1.2 was used for transaction
            cipher=Aes256 bits=256);
   Wed, 2 Sep 2015 06:56:01 -0500
X-SmarterMail-Authenticated-As: REDACTED@digitaliway.com
DomainKey-Signature: a=rsa-sha1; c=simple; q=dns;
        d=digitaliway.com; s=digitaliway;
        h=received:from:to:subject:date:message-id:mime-version
          :content-type:x-mailer:thread-index:content-language
          :x-messagesniffer-identifier:x-gbudb-analysis
          :x-messagesniffer-scan-result:x-messagesniffer-rules
          :x-declude-sender:x-declude-spoolname:x-declude-refid
          :x-declude-note:x-declude-scan:x-declude-tests:x-country-chain
          :x-declude-code:x-helo:x-identity;
        b=RxXBMCJDVpJ8pIurW+fbBWh1Anyzz5WB1vcSwVTYkA7X62x5xI8NUgr+MKF4w53jV
          /ijtDlyHIcDXl/cqQGEZh7hsqFDVBDe/85eb997u1PXSEai0CoK7RGaIVxraI9h
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=digitaliway.com; s=digitaliway;
        h=x-identity:x-helo:x-declude-code:x-country-chain:x-declude-tests
          :x-declude-scan:x-declude-note:x-declude-refid
          :x-declude-spoolname:x-declude-sender:x-messagesniffer-rules
          :x-messagesniffer-scan-result:x-gbudb-analysis
          :x-messagesniffer-identifier:content-language:thread-index
          :x-mailer:content-type:mime-version:message-id:date:subject:to
          :from;
        bh=ElgnKLjTgOTyifodwMRo42ZNCRUs5rJsfQDma6Aw0DY=;
        b=SO94qAGMgv7pY/8hGPmAvgN6YIOFtvl/x2iFJwN+BcUHh2zQ/ORo/WMq9osk/ErAO
          f6DlsVSSDL5+6quGaywNHnt+vtHwA8RbT63URptTfrSpNuqRbqisBQiROQ4WZVU
Received: from Dell8700 (207-255-13-129-dhcp.jst.pa.atlanticbb.net) by mail.digitaliway.net with SMTP;
   Wed, 2 Sep 2015 07:55:36 -0400
From: "Mike Danchanko" <REDACTED@digitaliway.com>
To: <support@chicagonettech.com>
Subject: SMTP ALT
Date: Wed, 2 Sep 2015 07:55:46 -0400
Message-ID: <008101d0e576$4e8735d0$eb95a170$@digitaliway.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
                boundary="----=_NextPart_000_0082_01D0E554.C7760B00"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AdDldaSXZzDFHXXiSSOrF0GgcoY8kw==
Content-Language: en-us
 
[COMMENT: LOOKS LIKE YOU ARE USING DECLUDE]
X-MessageSniffer-Identifier: e:\SmarterMail\Spool\proc\work\49598016.eml
X-GBUdb-Analysis: Unknown
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-32767-c
X-Declude-Sender: REDACTED@digitaliway.com [0.0.0.0] <== WHAT'S WITH THE "0.0.0.0" IP ADDRESS?
X-Declude-Spoolname: 49598016.eml
X-Declude-RefID:
X-Declude-Note: Scanned by Declude 4.12.11
X-Declude-Scan: Outgoing Score [0] at 07:55:44 on 02 Sep 2015
X-Declude-Tests: Whitelisted
X-Country-Chain:
X-Declude-Code: e
X-HELO: Dell8700
X-Identity: 0.0.0.0 | (Private IP) | chicagonettech.com <==== WHAT'S WITH THE "0.0.0.0" PRIVATE IP ADDRESS?
X-SmarterMail-Spam: SPF_Pass, DK_Pass, DKIM_Pass
X-SmarterMail-TotalSpamWeight: 0
 
It appears as if you might have DECLUDE enabled.  How is that interfaced with SmarterMail, and why are you checking outgoing messages?
 
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
digital.iway Replied
I am using DECLUDE and it is enabled inside of smartermail.  I am using HOP so it is excluding the original IP.  I am scanning outbound to Prevent Hijacked Accounts,Stop outbound Spam,Stop outbound Viruses, but I may try leaving that off to gain some CPU resources until this is resolved.
 
 
Do you feel that I have a corrupt installation of SM and DO you recommend I re-install fresh?
0
digital.iway Replied
Just and update:
 
I fully uninstalled SM - rebooted then installed fresh (did this to rule out any install issues).  TLS issues REMAIN and I am getting the following schannel error:
 
the following fatal alert was received: 42.
 
 
I looked up that error code on the below website:
http://blogs.msdn.com/b/kaushal/archive/2012/10/06/ssl-tls-alert-protocol-amp-the-alert-codes.aspx
 
ERROR Description
bad_certificate
There is a problem with the certificate, for example, a certificate is corrupt, or a certificate contains signatures that cannot be verified.
 
 
so I contacted my certificate provider just to be sure and I did not think they could help but was work worth a try and basically got an answer of  "it checks out to us on sslshopper.com"  not much help.
 
 
I am at a loss at this point and will continue to monitor logs and possibly consider installing the certificate again.
 
 
 
0
Bruce Barnes Replied
When you installed your certificate(s) did you manually install each of the certificates into the certificate repository using the operating system CERTIFICATE tool in MMC?
 
You cannot use the auto-import function, they must be imported MANUALLY, into the appropriate section under the LOCAL MACHINE.
 
After you imported the primary certificate, did you follow the instructions to EXPORT the .CER file according to the instructions in this KB article:
 
 
It might not hurt to completely remove the certificate and reinstall it from scratch.  It's a pain in the butt to do, but I've seen some weird stuff happen when certificates are not properly integrated.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
digital.iway Replied
just an update on this:  I re-installed the certificate as per ST / Bruce instructions and switched from STARFIELD to GODADDY authority thinking that would help and the issue still persists.
 
I have a Standard godaddy UCC SSL with Up to 5 Subject Alternate Name
 
 
I am continuing to monitor and for reference these ate the errors I always receive 
 
 
The following fatal alert was received: 42.
 
 
The following fatal alert was generated: 10. The internal error state is 1203.
 
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
0
Scarab Replied
Two things:
 
  1. After installing your Cert in MMC did you export it to a Base 64 encoded X.509 certificate and link to this exported certificate in Smartermail? This is very important. Although the Smartermail webmail (in IIS) will use the certificate format you received from GoDaddy, the Mail Server functions need the certificate to be in a different format.
     
  2. It is relatively normal to periodically receive "A TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server." If you have used IISCrypto and disabled insecure cipher suites then older Operating Systems may not be able to negotiate a cipher suite in common (i.e. Microsoft Exchange running on Windows Server 2000 & 2003 or a really old Linux box, or any Apple client prior to April 2014). When you disable insecure cipher suites, protocols, and key-exchanges you are intentionally limiting connections. Not every Mail Server is going to be able to negotiate a secure connection if they don't have any of those in common with your server (and if they are running an outdated OS they most likely won't).
0
digital.iway Replied
scarab -thank you for the response - I actually installed the cert twice, one with starfield and one with godaddy as the authority and with each install I did do the export as Base 64 encoded X.509 certificate and linked to this exported certificate in Smartermail. both installs gave same errors.

I initially used IIS Crypto using the BEST PRACTICES selection then in the above replies you can see I changed the cipher suites to what Bruce recommended using a custom .reg file. Both implementations still give the TLS errors.

at this point I am just monitoring and the errors are about 20 to 30 per day.

Reply to Thread