Notes.ini Entry
Name:
SSL_Enable_Insecure_SSLV2_Hello
Syntax
SSL_Enable_Insecure_SSLV2_Hello=
0 / 1
Applies to:
Servers
Add-on:
First Release:
9.0.1 FP3 - IF1
Obsolete since:
Category:
HTTP, Security, Server
Default:
None
UI equivalent:
None
Description:
Is it possible to re-enable SSLv2 support on Domino servers patched with the POODLE fixes? Re-enabling SSLv2 has become necessary because since applying the POODLE fixes, which removed support for SSLv2, SMTP connection attempts from either clients, servers, and JVMs with outdated SSL fail with the following error:
SSL_Handshake> Exit Status = -6996
int_MapSSLError> Mapping SSL error -6996 to 4166 [SSLProtocolErr]
SMTPClient: SSL handshake error: 1046h
Answer
Starting with Domino 9.0.1 Fix Pack 3 Interim Fix 1, you can set the following notes.ini variable to permit these less secure connections. However, note that we strongly advise against setting this variable unless you absolutely need to interoperate with an outdated SSL client that refuses to upgrade their software or configuration.
SSL_ENABLE_INSECURE_SSLV2_HELLO =1
This .INI variable will (1) allow SSLv2 ClientHello messages, as long as they negotiate up to a supported version of SSL/TLS, and (2) provide an increased level of tracing to help admins identify where the outdated connections are coming from. For related information, refer to the following Wiki article: Unable to connect to patched Domino servers using SSLv2 backwards compatibility mode.