No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

Exchange Online Originates SSLv2 Connections Instead of TLSv1 Connections

  • 2 Followers
  • 1 Reply |
  • This post has 1 verified answer |
Answered (Verified) This question is answered

I am setting up Exchange Online Voice Mail Integration. The SBC negotiates TLSv1 with Exchange Online for both SIP Options and for calls to Exchange Online for AA and Voice Mail drops, but when Exchange Online has to originate a connection to my SBC for outbound calls from Exchange Online or SIP Notify messages for MWI, Exchange Online is using SSLv2 (per Wireshark traces) for the negotiations which is causing the connection to fail. My SBC supports TLSv1 but not the older SSLv2 spec.

 

My question is is this the expected operation that for any connections that originate from the Exchange Online SBC to my site SBC, Exchange Online will always start the negotiation with SSLv2? Could Wireshark be reading the packets improperly?

 

This is not the way EUM 2007 or EUM 2010 operates.

  • Post Points: 20
Verified Answer
  • When Exchange Online SBC acts as UAC, it will always send out SSLv2 client hello message for the TLS connection. Normally, if the UAS does not support SSLv2, it will respond with higher version and negotiate from that point. Unfortunately, some of the UAS implementations are really strict about the SSL version. They will simply close the connection, and are not trying the "negotiate" at all.

    So your outgoing TLS version, TLSv1, is okay, but I highly recommend that your incoming TLS version should be configured as 'any' protocol for accepting Client Hello.

    • Not Ranked
    • Post Points: 0
Page 1 of 1 (2 items)