0

I'm working on a web site hosted in IIS (10) on a Windows server (Server 2019). The site was previously able to send emails out through smtp.office365.com using basic auth. I used IISCrypto to disable TLS 1.0 (and lower) so that only TLS 1.1 and 1.2 were enabled. It caused this error:

The client and server cannot communicate, because they do not possess a common algorithm

Re-enabling TLS 1.0 causes the error to go away. Using SSLLabs.com's server test shows that both my site and smtp.office365.com should be able to support TLS 1.1 and 1.2 with a number of ciphers in common. Why won't they connect?

tloflin
  • 103
  • 2
  • My guess would be a code/framework configuration issue. There's more to this than operating system support. – Greg Askew Sep 10 '20 at 18:04
  • I see. I suppose I can dig into the code issue and see if there's anything I can do to get it working correctly. – tloflin Sep 10 '20 at 19:00
  • 1
    I would use Wireshark and capture the actual SMTP TLS handshake. Then check the client hello what town versions and ciphers your IIS offers. – Robert Sep 10 '20 at 20:58
  • IISCrypto mainly manipulates "server" TLS settings, which won't affect sending mails out ("client" TLS settings). So I agree that you need to use tools like Wireshark to dig further. – Lex Li Sep 10 '20 at 21:36

1 Answers1

1

That's probably due to .NET framework version is being used.

Reference No.1 https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

Reference No.2 https://stackoverflow.com/questions/26742054/the-client-and-server-cannot-communicate-because-they-do-not-possess-a-common-a

As per Microsoft recommendation:

  • Target .NET Framework 4.7 or later versions on your apps. Target .NET Framework 4.7.1 or later versions on your WCF apps.

  • Do not specify the TLS version. Configure your code to let the OS decide on the TLS version.

  • Perform a thorough code audit to verify you're not specifying a TLS or SSL version.

Alexred
  • 68
  • 4