TLS1.2 and JavaMail -- JAVA400-L

Hi there

We have a customer who is setting up a new SMTP server that requires TLS1.2
encryption. When trying to send emails from our iSeries software
communications are terminated because the SSL handshake fails.

I have the following properties set on the java command according to other
suggestions I've found, although I'm not sure these are necessary with Java
1.8:

-Dcom.ibm.jsse2.overrideDefaultTLS=true -Djdk.tls.client.protocols="TLSv1.2"

Below is what I hope is the relevant output that I'm seeing in debug trace
logs:

JVM info: IBM Corporation / 1.8.0_191

DEBUG: setDebug: JavaMail version 1.4.4

IBMJSSE2 will set SSLContext per com.ibm.jsse2.overrideDefaultTLS set to
true
Installed Providers =

IBMJSSE2

IBMJCE

IBMJGSSProvider

IBMCertPath

jdk.tls.client.protocols is defined as TLSv1.2
SSLv3 protocol was requested but was not enabled
SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
CLIENT_DEFAULT: [TLSv1.2]

Is initial handshake: true
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_GCM_SHA384

Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384

Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_GCM_SHA384

Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_GCM_SHA384

Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256

Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256

Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256

Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256

%% No cached client session

ALPNJSSEExt not initialzed for Client

*** ClientHello, TLSv1

RandomCookie: GMT: 1578433745 bytes = { 133, 249, 99, 223, 234, 102, 34,
127, 222, 254, 243, 104, 255, 57, 119, 83, 128, 86, 120
, 69, 67, 238, 115, 24, 66, 88, 172, 65 }
Session ID: {}

Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_
RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SH
A, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_1
28_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_DSS
_WITH_AES_128_CBC_SHA]

Compression Methods: { 0 }

Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1,
secp256k1}
Extension ec_point_formats, formats: [uncompressed]

Extension extended_master_secret

Extension server_name, server_name: [type=host_name (0), value=
sendmail.henkelgroup.net]
***

[write] MD5 and SHA1 hashes: len = 132

0000: 01 00 00 80 03 01 5e 15 fd d1 85 f9 63 df ea 66 ............c..f

0010: 22 7f de fe f3 68 ff 39 77 53 80 56 78 45 43 ee .....h.9wS.VxEC.

0020: 73 18 42 58 ac 41 00 00 1e 00 ff c0 0a c0 14 00 s.BX.A..........

0030: 35 c0 05 c0 0f 00 39 00 38 c0 09 c0 13 00 2f c0 5.....9.8.......

0040: 04 c0 0e 00 33 00 32 01 00 00 39 00 0a 00 0a 00 ....3.2...9.....
0050: 08 00 17 00 18 00 19 00 16 00 0b 00 02 01 00 00 ................
0060: 17 00 00 00 00 00 1d 00 1b 00 00 18 73 65 6e 64 ............send
0070: 6d 61 69 6c 2e 68 65 6e 6b 65 6c 67 72 6f 75 70 mail.henkelgroup
0080: 2e 6e 65 74 .net

pool-3-thread-1, WRITE: TLSv1 Handshake, length = 132
[Raw write]: length = 137
0000: 16 03 01 00 84 01 00 00 80 03 01 5e 15 fd d1 85 ................
0010: f9 63 df ea 66 22 7f de fe f3 68 ff 39 77 53 80 .c..f.....h.9wS.
0020: 56 78 45 43 ee 73 18 42 58 ac 41 00 00 1e 00 ff VxEC.s.BX.A.....
0030: c0 0a c0 14 00 35 c0 05 c0 0f 00 39 00 38 c0 09 .....5.....9.8..
0040: c0 13 00 2f c0 04 c0 0e 00 33 00 32 01 00 00 39 .........3.2...9
0050: 00 0a 00 0a 00 08 00 17 00 18 00 19 00 16 00 0b ................
0060: 00 02 01 00 00 17 00 00 00 00 00 1d 00 1b 00 00 ................
0070: 18 73 65 6e 64 6d 61 69 6c 2e 68 65 6e 6b 65 6c .sendmail.henkel
0080: 67 72 6f 75 70 2e 6e 65 74 group.net
pool-4-thread-1, received EOFException: error

pool-4-thread-1, handling exception: javax.net.ssl.SSLHandshakeException:
Remote host closed connection during handshake
pool-4-thread-1, SEND TLSv1.2 ALERT: fatal, description =
handshake_failure
pool-4-thread-1, WRITE: TLSv1.2 Alert, length = 2

[Raw write]: length = 7

Any suggestions or tips would be very much appreciated.

Thanks