Hello Marc, I had a quick look at the implementation http://grepcode.com/file/repo1.maven.org/maven2/org.apache.avalon.cornerstone.sockets/cornerstone-sockets-impl/2.2.2/org/apache/avalon/cornerstone/blocks/sockets/TLSServerSocketFactory.java#TLSServerSocketFactory.initServerSocket%28java.net.ServerSocket%29
The TLSServerSocketFactory of the Cornerstone library simply uses the Sun SSL Server sockets. So it seems to depend on the installed JRE and the default handling there. Maybe the older JRE (JRE 6) may not be able to use "newer" algorithms, but I did not check this. But I am sure the SSL handling has changed between the Java versions, as described in: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html The <protocol>TLS</protocol> may be the old TLSv1 implementation, and I think you need to use TLSv1.2. See here: http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#SupportClasses or here http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#SupportClasses So I would recommend: - check which JRE you are using, maybe you could try a newer one (I think this is important) - try to change <protocol>TLS</protocol> to <protocol>TLSv1.2</protocol>, but that may fail - try to install the JCE library (depends on your JRE version), if you are allowed to (export restrictions apply). Exactly: Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files It is a download at the end of the JRE download page. Because the standard SSL libray from SUN is used, you may configure the SSL options using runtime properties. This could be supplied by "-d" parameters when starting the james process. I know this for JMX, not sure for SSL, maybe this could help. http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization All things mentioned here are not tested, and are just my "thoughts" about the problem. So it may be totally leading into the wrong direction. Regards Berdn -----Ursprüngliche Nachricht----- Von: Marc Chamberlin [mailto:m...@marcchamberlin.com] Gesendet: Dienstag, 29. Dezember 2015 05:40 An: server-user@james.apache.org Betreff: Re: TLS/SSL on James 2.3.2 Thanks David for your response, unfortunately I don't understand how to connect the dots... Taking a wild guess I suspect that in