changing the TLS version in SMTPMailService for Integrator

[dhnaigles]

We are trying to send emails using the SMTPMailService with SECURE(*EXPLICIT) for TLS sessions as this is required by Microsoft's Outlook 365 Exchange server. Integrator by default uses TLS 1.0, but Microsoft has changed some of their requirements and we are getting failures (not all the time) due to the TLS version. Microsoft wants us to send the mail with TLS 1.2. Does anyone know how to change the TLS version used when sending and email, either by a SET command or something the SMTPMailService.properties file? Any assistance would be most appreciated.
David

[caseywhite]

I haven't tried this solution but could what is suggested in the post below work by adding this SystemDefault.properties or SMTPMailService.properties?

https://stackoverflow.com/questions/471 ... use-tls1-2

[PatrickF]

I am working with a customer at the moment using POP3 with LANSA Composer having the same issue. I see this link https://docs.microsoft.com/en-us/micros ... -worldwide. Seems flaky where it sometimes connects and other times does not. I wonder if we are in the transition period while Microsoft is cutting over.
I hope the setting for TLS version in SystemDefault.properties that we applied a few years ago for HTTPS connections will apply for POP3 and SMTP.

[BrendanB]

I remember at JDK 7.0, the following was useful

To enable JDK 7.0 TLS v1.0, v1.1 and v1.2 support for the default JSSE provider.

Add the following property to system/SystemDefault.properties

com.ibm.jsse2.overrideDefaultProtocol=SSL_TLSv2

Possible options

SSLv3 : sets SSL V3.0
SSL_TLS : sets SSL V3.0 and TLS 1.0
SSL_TLSv2 : sets SSL V3.0, TLS 1.0, TLS 1.1, and TLS 1.2
TLS : sets TLS 1.0
TLSv1 : sets TLS 1.0
TLSv11 : sets TLS 1.1
TLSv12 : sets TLS 1.2

so it may be worth trying that.

[dhnaigles]

Thank you, everyone! We will see how this works and I will let you know. I appreciate all your assistance. I can always count on this forum.
David

[pkoopmanpk]

We're having the exact same problem on our IBM i, so I'll add my findings here.

The error I get is: Could not convert socket to TLS

It started around october 5 with 1 error on that day, but it grew to around 25% errors over the following days.

I found a TLS tip from Lansa here: https://www.lansa.com/support/tips/t0633.html

According to them the best solution is to install JDK 8.0 32/64bit, so I did a JAVA *VERSION

Code: Select all

java version "1.8.0_261"                                                                    
Java(TM) SE Runtime Environment (build 8.0.6.15 - pap3280sr6fp15-20200724_01(SR6 FP15))
IBM J9 VM (build 2.9, JRE 1.8.0 OS/400 ppc-32-Bit 20200724_452227 (JIT enabled, AOT enabled)
OpenJ9   - 4ce4b9d
OMR      - 08b0594
IBM      - 70917a2)
JCL - 20200720_01 based on Oracle jdk8u261-b13

Just to be sure I also added the following line to system/SystemDefault.properties

Code: Select all

com.ibm.jsse2.overrideDefaultProtocol=SSL_TLSv2

After restarting de Integrator service I still got an error.

I found the following link on this error at Microsoft: https://docs.microsoft.com/en-us/micros ... -worldwide

So I also tried to force TLS 1.2 by adding the following lines to system/SystemDefault.properties

Code: Select all

com.ibm.jsse2.overrideDefaultTLS=true
com.ibm.jsse2.overrideDefaultProtocol=TLSv12

That also didn't help with the error.

[dhnaigles]

Like the previous poster, I have tried everything, but it still says that we are posting via TLS 1.0. I looked at the tips referred to and they are of no use whatsoever. If anyone has any other ideas (ALICK, WHERE ARE YOU???), I'd really appreciate it. We are getting this error on almost 30% of all our emails.

[pkoopmanpk]

I got the following suggestion from Lansa Support Benelux.

---
a) Perhaps you will need to adjust the time-out value of the SSL handshake.

The main configuration for the SSL timeout is in the IBM file, as described here:
https://www.ibm.com/support/pages/setti ... t-variable

You can find the IBMSLAPD.CONF file (and the log file) here :
https://www.ibm.com/docs/en/sdse/6.4.0? ... -locations

b) As the error indicates : "Remote host closed connection during handshake" you should try to get the information / log files from the Remote machine, in order to see what the true issue is.
---

As I am a developer, this was way to technical for me, so we forwarded it to our IBM support. We also forwarded a request to network/mail support to find out if we can get Exchange logs.

[pkoopmanpk]

This morning we received an a new error from Microsoft:

- 421 4.7.66 TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/smtp_auth_tls.

So it looks like Lansa Integrator still uses TLS 1.0

I also found a new link which might be a clue: https://stackoverflow.com/questions/471 ... use-tls1-2

It didn't work for me in one pretty old app and I couldn't realize why. After some research I found that the javax.mail version in the app dependencies was 1.4. You must upgrade to at least 1.5.

And while searching in java jars:
…\jsm\instance\jar\jsmmail.jar\META-INF\maven\com.sun.mail\javax.mail\pom.properties

Code: Select all

#Generated by Maven
#Wed Mar 06 15:54:51 PST 2013
version=1.4.7
groupId=com.sun.mail
artifactId=javax.mail

It looks like jsmmail is not supporting TLS 1.2.

[Theo de Bruin]

Hi David / Peter,

Please send me an email for more info on this subject, or contact your local support for
an updated encryption / jsmmail.jar file.