Back to Community Threads
TLS Negotiation failed
Problem reported by Scott Wilson - 10/18/2021 at 9:41 AM
Submitted
S
I'm getting this error from Gmail when trying to send mail to my instance of SmarterMail:

TLS Negotiation failed: FAILED_PRECONDITION: starttls error (71): 22306758296904:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:third_party/openssl/boringssl/src/ssl/tls_record.cc:242: 

I also get this error when I run my domain through a test service:Cannot convert to SSL (reason: SSL connect attempt failed error:1408F10B:SSL routines:ssl3_get_record:wrong version number) 

Any idea how to fix this?
Kyle Kerst Replied
10/18/2021 at 10:39 AM
Employee Post
Hey there Scott! This error looks to be a mismatch between the supported SSL/TLS versions on this client/server and your SmarterMail environment. What I typically recommend here is downloading and installing IISCrypto from Nartac Software. Once installed on the server, open it up and press the Best Practices button, then apply and save the changes before rebooting the server. This will configure Windows (and SmarterMail) to use only the supported versions of SSL/TLS and should bring it current with the sending environment. 

Please note however, that these changes can lead to older email clients and mobile devices running into similar errors when attempting to connect, so this is something you'll want to keep an eye out for. Please let me know if that helps. Have a good one!
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com
S
Scott Wilson Replied
10/18/2021 at 12:50 PM
Doesn't seem to make any difference. What I don't get is why would it start malfunctioning like this all of the sudden when before everything had been working fine.
Kyle Kerst Replied
10/18/2021 at 1:20 PM
Employee Post
I'm sorry to hear that Scott. Is it possible there were security changes on the underlying network itself? I've seen similar issues when AV or Firewall products proxy the SMTP session in order to scan it. Hopefully others can offer some guidance on this one too.
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com
S
Scott Wilson Replied
10/18/2021 at 2:29 PM
No changes like that have been made. Nothing particularly interesting about the firewall the server is behind, just a ordinary Netgear and Windows Firewall on the server itself is turned off.
Kyle Kerst Replied
10/19/2021 at 3:13 PM
Employee Post
Hey there Scott, and sorry for the delay on this. Something that might help here is determining exactly what cipher suites are supported on the client and server side. I found a guide that includes a script to do so here:


Additionally, you can use the SSL Website Tester I've linked below (be sure to choose the option to exclude your results from their dashboard) which will allow you to compare the supported/unsupported protocols and versions for both environments as well:


Let me know what you find out! :-)
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com
Tony Scholz Replied
10/19/2021 at 4:57 PM
Employee Post
Hello, 

To add to what Kyle said you can use WireShark to find out what cipher is being suggested.


Thank you
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
S
Scott Wilson Replied
10/19/2021 at 5:48 PM
Okay I ran the following in OpenSSL and this is what it output:

openssl s_client -connect mydomain.com:25 -tls1_2

CONNECTED(000001A0)
64D00000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl\record\ssl3_record.c:355:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 210 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1634687859
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Here's the output from the SSL tester:

Certificate #1: RSA 2048 bits (SHA256withRSA)
Server Key and Certificate #1

Subjectmail.example.com
Fingerprint SHA256: 72e50bf23a851df5650d889e9ecb543ffff6285a765a6154d5b204b7facff89c
Pin SHA256: A3NsqgAD5rrLG6PhuwF3QAKYxe6CRHwzLkX/+3wn9YA=
Common namesmail.example.com
Alternative names
Serial Number033d9dc3c494c0b7ac19eb7b8a436cd0da31
Valid fromFri, 01 Oct 2021 13:59:12 UTC
Valid untilThu, 30 Dec 2021 13:59:11 UTC (expires in 2 months and 10 days)
KeyRSA 2048 bits (e 65537)
Weak key (Debian)No
IssuerR3
AIA: http://r3.i.lencr.org/
Signature algorithmSHA256withRSA
Extended ValidationNo
Certificate TransparencyYes (certificate)
OCSP Must StapleNo
Revocation informationOCSP
OCSP: http://r3.o.lencr.org
Revocation statusGood (not revoked)
DNS CAANo (more info)
TrustedYes
Mozilla  Apple  Android  Java  Windows 

Additional Certificates (if supplied)

Certificates provided2 (2687 bytes)
Chain issuesNone
#2
SubjectR3
Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
Valid untilMon, 15 Sep 2025 16:00:00 UTC (expires in 3 years and 10 months)
KeyRSA 2048 bits (e 65537)
IssuerISRG Root X1
Signature algorithmSHA256withRSA

Certification Paths

Click here to expand

Configuration
Protocols
TLS 1.3No
TLS 1.2Yes
TLS 1.1Yes
TLS 1.0Yes
SSL 3No
SSL 2No

Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp521r1 (eq. 15360 bits RSA)   FS   WEAK256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp521r1 (eq. 15360 bits RSA)   FS   WEAK128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1 (eq. 15360 bits RSA)   FS   WEAK256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1 (eq. 15360 bits RSA)   FS   WEAK128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK128
# TLS 1.1 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1 (eq. 15360 bits RSA)   FS   WEAK256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1 (eq. 15360 bits RSA)   FS   WEAK128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK128
# TLS 1.0 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1 (eq. 15360 bits RSA)   FS   WEAK256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1 (eq. 15360 bits RSA)   FS   WEAK128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK128

Handshake Simulation
Android 2.3.7   No SNI 2Server closed connection
Android 4.0.4RSA 2048 (SHA256)  TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
Android 4.1.1RSA 2048 (SHA256)  TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
Android 4.2.2RSA 2048 (SHA256)  TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
Android 4.3RSA 2048 (SHA256)  TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
Android 4.4.2RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   ECDH secp521r1  FS
Android 5.0.0RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
Android 6.0RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp384r1  FS
Android 7.0RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp384r1  FS
Android 8.0RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp384r1  FS
Android 8.1RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp384r1  FS
Android 9.0RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp384r1  FS
Baidu Jan 2015RSA 2048 (SHA256)  TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
BingPreview Jan 2015RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Chrome 49 / XP SP3RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp384r1  FS
Chrome 69 / Win 7  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp384r1  FS
Chrome 70 / Win 10RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp384r1  FS
Chrome 80 / Win 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp384r1  FS
Firefox 31.3.0 ESR / Win 7RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
Firefox 47 / Win 7  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
Firefox 49 / XP SP3RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
Firefox 62 / Win 7  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
Firefox 73 / Win 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
Googlebot Feb 2018RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp384r1  FS
IE 7 / VistaRSA 2048 (SHA256)  TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
IE 8 / XP   No FS 1   No SNI 2Server closed connection
IE 8-10 / Win 7  RRSA 2048 (SHA256)  TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
IE 11 / Win 7  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp384r1  FS
IE 11 / Win 8.1  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp384r1  FS
IE 10 / Win Phone 8.0RSA 2048 (SHA256)  TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp384r1  FS
IE 11 / Win Phone 8.1  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   ECDH secp384r1  FS
IE 11 / Win Phone 8.1 Update  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp384r1  FS
IE 11 / Win 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp384r1  FS
Edge 15 / Win 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp384r1  FS
Edge 16 / Win 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp384r1  FS
Edge 18 / Win 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp384r1  FS
Edge 13 / Win Phone 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp384r1  FS
Java 6u45   No SNI 2Server closed connection
Java 7u25RSA 2048 (SHA256)  TLS 1.0TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp521r1  FS
Java 8u161RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Java 11.0.3RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Java 12.0.1RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
OpenSSL 0.9.8yRSA 2048 (SHA256)  TLS 1.0TLS_RSA_WITH_AES_256_CBC_SHA  No FS
OpenSSL 1.0.1l  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
OpenSSL 1.0.2s  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
OpenSSL 1.1.0k  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
OpenSSL 1.1.1c  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Safari 5.1.9 / OS X 10.6.8RSA 2048 (SHA256)  TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
Safari 6 / iOS 6.0.1RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Safari 6.0.4 / OS X 10.8.4  RRSA 2048 (SHA256)  TLS 1.0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp521r1  FS
Safari 7 / iOS 7.1  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Safari 7 / OS X 10.9  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Safari 8 / iOS 8.4  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Safari 8 / OS X 10.10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Safari 9 / iOS 9  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Safari 9 / OS X 10.11  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Safari 10 / iOS 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Safari 10 / OS X 10.12  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Safari 12.1.2 / MacOS 10.14.6 Beta  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Safari 12.1.1 / iOS 12.3.1  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Apple ATS 9 / iOS 9  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
Yahoo Slurp Jan 2015RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp384r1  FS
YandexBot Jan 2015RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   ECDH secp521r1  FS
# Not simulated clients (Protocol mismatch)
IE 6 / XP   No FS 1   No SNI 2Protocol mismatch (not simulated)

(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers sometimes retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).
(All) Certificate trust is not checked in handshake simulation, we only perform TLS handshake.

Protocol Details
DROWNNo, server keys and hostname not seen elsewhere with SSLv2
(1) For a better understanding of this test, please read this longer explanation
(2) Key usage data kindly provided by the Censys network search engine; original DROWN website here
(3) Censys data is only indicative of possible key and certificate reuse; possibly out-of-date and not complete
Secure RenegotiationSupported
Secure Client-Initiated RenegotiationNo
Insecure Client-Initiated RenegotiationNo
BEAST attackNot mitigated server-side (more info)   TLS 1.0: 0xc014
POODLE (SSLv3)No, SSL 3 not supported (more info)
POODLE (TLS)No (more info)
Zombie POODLENo (more info)   TLS 1.2 : 0xc027
GOLDENDOODLENo (more info)   TLS 1.2 : 0xc027
OpenSSL 0-LengthNo (more info)   TLS 1.2 : 0xc027
Sleeping POODLENo (more info)   TLS 1.2 : 0xc027
Downgrade attack preventionNo, TLS_FALLBACK_SCSV not supported (more info)
SSL/TLS compressionNo
RC4No
Heartbeat (extension)No
Heartbleed (vulnerability)No (more info)
Ticketbleed (vulnerability)No (more info)
OpenSSL CCS vuln. (CVE-2014-0224)No (more info)
OpenSSL Padding Oracle vuln.
(CVE-2016-2107)		No (more info)
ROBOT (vulnerability)No (more info)
Forward SecrecyWith modern browsers (more info)
ALPNNo
NPNNo
Session resumption (caching)Yes
Session resumption (tickets)No
OCSP staplingNo
Strict Transport Security (HSTS)No
HSTS PreloadingNot in: Chrome  Edge  Firefox  IE 
Public Key Pinning (HPKP)No (more info)
Public Key Pinning Report-OnlyNo
Public Key Pinning (Static)No (more info)
Long handshake intoleranceNo
TLS extension intoleranceNo
TLS version intoleranceNo
Incorrect SNI alertsNo
Uses common DH primesNo, DHE suites not supported
DH public server param (Ys) reuseNo, DHE suites not supported
ECDH public server param reuseYes
Supported Named Groupssecp521r1, secp384r1, secp256r1 (server preferred order)
SSL 2 handshake compatibilityNo

HTTP Requests
1 https://mail.example.com/  (HTTP/1.1 302 Found)

Miscellaneous
Test dateTue, 19 Oct 2021 23:59:12 UTC
Test duration97.258 seconds
HTTP status code200
HTTP server signature-
Server hostnamemail.example.com
S
Scott Wilson Replied
10/21/2021 at 8:49 AM
So what I don't understand is why would an email provider like Gmail even care if there was a problem with a SSL3 when I thought that was outdated and is not being used any longer.
Kyle Kerst Replied
10/21/2021 at 2:36 PM
Employee Post
@Scott - I think this report is showing you supporting TLS 1.0/1.1 as well but I can't see the pass/fail in the screenshot. Can you confirm? The error message itself is mentioning SSL, but I'm betting they're complaining about the TLS version more specifically. A lot of these types of errors tend to get lumped in under "SSL" though the protocol may vary. 

Edit: I figured out I can scroll over in your reply! Doh! You are supporting TLS 1.0/1.1, so thats likely what Google is complaining about. You can try running the Best Practices button on IISCrypto (https://www.nartac.com/Products/IISCrypto), saving the changes, then rebooting the Windows server environment before testing again and that should do the trick. If that doesn't work theres something else going on with the certificate or the network is passing back the wrong versions (firewall or proxy.)
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com
S
Scott Wilson Replied
10/21/2021 at 3:34 PM
So why would Google care if I also support TLS 1.0/1.1 in addition to 1.2 just as long as I support 1.2? 
Kyle Kerst Replied
10/21/2021 at 3:46 PM
Employee Post
That's a great question Scott. The only thing I can think of is that for some reason your server (or the underlying network) is setting the upper limit at 1.0 or 1.1, so Google never see's the 1.2. 
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com
S
Scott Wilson Replied
10/21/2021 at 5:00 PM
Oh man this sucks, I have nothing to go on to solve this. I just get the feeling it's a problem with these Let's Encrypt certificates.
S
Scott Wilson Replied
10/21/2021 at 10:41 PM
So if you're saying the underlying network is preventing TLS 1.2 why would the test tool see it and not Google? Could a bad Comcast Business modem cause something like this? Literally nothing has changed on my server or any of my network hardware. This is becoming a real problem since I can't get all of my mail along with a few other domains I manage for other people for almost a week now.
Kyle Kerst Replied
10/25/2021 at 8:29 AM
Employee Post
@Scott - It isn't preventing TLS 1.2, but is offering TLS 1.0 and 1.1 and I think this is what Google is complaining about. Ideally if you could submit a ticket on this I'd be happy to dig into it for you!
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com
Linda Pagillo Replied
10/25/2021 at 1:02 PM
Hey Scott. I'm very familiar with LetsEncrypt and SmarterMail. If you would like to shoot me an email directly, I will see what I can do to help you and then post the answer here if successful :)

Hi Kyle! Not trying to step on toes. Just trying to lend a hand if I can :) I have many deployments of SM and LE and have had a few issues which I was able to successfully solve.

Thanks!
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
Kyle Kerst Replied
10/25/2021 at 3:23 PM
Employee Post
You're good Linda! I appreciate the help :-)
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com
E
Eric Moreau Replied
11/1/2023 at 12:11 AM
Hi Linda and Kyle,
I have exactly the same issue, I used IISCrypto to ensure that my server does not support TLS 1.0 and 1.1 but I still have the issue with the wrong version number for SSL support.
Any help for this one ?
Best regards,
Eric
Kyle Kerst Replied
11/1/2023 at 6:30 AM
Employee Post
Hello Eric! You may want to check what versions are selected in SmarterMail as well, as the system defaults can be overridden in Settings>Protocols>Security Protocols:
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com
Kyle Kerst Replied
11/1/2023 at 1:21 PM
Employee Post
I'd be happy to Ron! TLS 1.0/1.1 and ALL versions of SSL are not recommended due to various exploits and overflows available for them and so what I typically recommend is setting SmarterMail to Use System Defaults, downloading and installing IISCrypto (this just makes the changes easier from an admin perspective) and then hitting the Best Practices button once inside of there. You'll notice this leaves TLS 1.0/1.1 enabled for compatibility's sake, so you can uncheck those on the client/server side before applying the changes and rebooting. 

You will want to ensure your end users are running on somewhat recent hardware/software before making that change though, as some older (OLD) versions of Windows/Android OS/iOS don't support newer versions of TLS. A great way to quickly and easily double-check your versions is running an SSL test here:


Make sure you select the Do not show results on the boards checkbox before running those if you don't want your results displayed publicly, but once you run it you'll see a report showing detailed information on what versions and suite versions your server supports. I hope that helps!
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com
S
Scott Wilson Replied
11/1/2023 at 8:29 PM
Thankfully after upgrading to the latest version of Windows Server I haven't had any of these issues since and now have TLS 1.3, if that helps.
Kyle Kerst Replied
11/2/2023 at 7:21 AM
Employee Post
That's great to hear Scott! That should set you up for better overall security too!
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com
E
Eric Moreau Replied
11/2/2023 at 2:25 PM
On my side here are the settings on my server:
The OS version is Windows Server 2016 Datacenter
On Smartermail, the settings are exactly similar to the one of the screenshot of Kyle

Here is the error message I get when I send message from Gmail:
TLS Negotiation failed: FAILED_PRECONDITION: starttls error (71): 60833816052608:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:third_party/openssl/boringssl/src/ssl/tls_record.cc:231:

This issue is really bothering me since months now and I cannot find any solution so any help is appreciated
J
Jack. Replied
11/2/2023 at 3:23 PM
Try checking with a domain.

It will show you the errors of the certificate, ciphers....


E
Eric Moreau Replied
11/3/2023 at 12:24 PM
Here is the result:
seconds
test stage and result[000.000]
Trying TLS on mail.mydomain.com[99.99.99.99:25] (0)[000.099]
Server answered[000.206]<‑‑ 220 mail.mydomain.com[000.207]
We are allowed to connect[000.207]‑‑>EHLO www11-do.CheckTLS.com[000.310]<‑‑ 250-mail.mydomain.com Hello [99.99.99.99]
250-SIZE
250-AUTH LOGIN CRAM-MD5
250-STARTTLS
250-8BITMIME
250-DSN
250 OK[000.311]
We can use this server[000.311]
TLS is an option on this server[000.311]‑‑>STARTTLS[000.410]<‑‑ 220 Start TLS negotiation[000.411]
STARTTLS command works on this server[001.531]
Cannot convert to SSL (reason: SSL connect attempt failed error:1408F10B:SSL routines:ssl3_get_record:wrong version number)[001.532]
Note: This same test with Format set to "Debug" may show more[001.532]‑‑>MAIL FROM:<test@checktls.com>[001.532]<‑‑ ecurity failure[001.532]
Cannot proof email address (reason: MAIL FROM rejected)[001.533]
Note: This does not affect the CheckTLS Confidence Factor[001.533]‑‑>QUIT[001.533]
Read failed (reason: did not read)

If I switch to debug I got the same detail as before:
    35 35 34 20 53SSL_connect:error in error140446663677760:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
Roger Replied
11/3/2023 at 12:45 PM
Setup like this and forget about ssl2 and ssl3 because of insecure (noodle, poodle, goldendoodle attacks). you have to reboot the server.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management
Microsoft's Remote Connectivity Analyzer and MAPISmarterMail > Desktop and Mobile Synchronization
Trouble Connecting Apple Mail Using MAPI/EWSSmarterMail > Troubleshooting
Automated SSL certificate Issues.SmarterMail > Troubleshooting
Automatic SSL Certificates on a New SmarterMail ServerSmarterMail > Server Configuration and Management