openssl failed to connect to MS Exchange Server (Office365) on RHEL 7.x

Jakob Bohm jb-openssl at wisemo.com
Sat May 11 19:01:37 UTC 2019 

Your transcript below seems to show a successful connection to Microsoft's
cloud mail, then Microsoft rejecting the password and closing the 
connection.

You are not connecting to your own Exchange server, but to a central 
Microsoft
service that also handles their consumer mail accounts (hotmail.com, 
live.com,
outlook.com etc.).  This service load balances connections between many 
servers
which cab give different results for each try.

On 10/05/2019 17:01, Chandu Gangireddy wrote:
> Dear OpenSSL Users,
>
> At my corporate environment, I'm experience a challenge to use openssl 
> s_client utility. I really appreciate if someone can help me narrow 
> down the issue.
>
> Here the details -
>
> Platform: RHEL 7.x
> *Openssl version:*
> OpenSSL 1.0.2k-fips  26 Jan 2017
> built on: reproducible build, date unspecified
> platform: linux-x86_64
> options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) 
> idea(int) blowfish(idx)
> compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB 
> -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT 
> -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 
> -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 
> -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY 
> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 
> -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM 
> -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM 
> -DGHASH_ASM -DECP_NISTZ256_ASM
> OPENSSLDIR: "/etc/pki/tls"
> engines:  rdrand dynamic
>
> Command tried to tes the connectivity between my Linux client server 
> to remote office 365 exchange server using POP3 port -
>
> $ openssl s_client -crlf -connect outlook.office365.com:995 
> <http://outlook.office365.com:995>
> ...
> ...
> subject=/C=US/ST=Washington/L=Redmond/O=Microsoft 
> Corporation/CN=outlook.com <http://outlook.com>
> issuer=/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 3952 bytes and written 415 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID: 
> 072F0000FFDC6177DE9CAB2B59EA06E486A25AD8A2882A9B82F16678BAD74E79
>     Session-ID-ctx:
>     Master-Key: 
> DD7B59F38867FEAB9656B519FBCD743158E528C63FF9A96CE758120424159F26967F9F6FE57A9B5E7CAD806798322278
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1557500061
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> +OK The Microsoft Exchange POP3 service is ready. 
> [QgBOADYAUABSADEANABDAEEAMAAwADQAMgAuAG4AYQBtAHAAcgBkADEANAAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
> *USER netcool2 at cox.com <mailto:netcool2 at cox.com>*
> *+OK*
> *PASS XXXXXXXX*
> *-ERR Logon failure: unknown user name or bad password.*
> *quit*
> *+OK Microsoft Exchange Server POP3 server signing off.*
> *read:errno=0*
>
> Operating System:
> Red Hat Enterprise Linux Server release 7.2 (Maipo)
>
> When I did the same from a different server, it worked as expected. 
> Following are the two difference which I noticed between a working 
> server and non-working server.
> *
> *
> *Working server details:*
> 1. Red Hat Enterprise Linux Server release 6.9 (Santiago)
> 2. openssl version
> OpenSSL 1.0.1e-fips 11 Feb 2013
> built on: Mon Jan 30 07:47:24 EST 2017
> platform: linux-x86_64
> options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) 
> idea(int) blowfish(idx)
> compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS 
> -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN 
> -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic 
> -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 
> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM 
> -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM 
> -DWHIRLPOOL_ASM -DGHASH_ASM
> OPENSSLDIR: "/etc/pki/tls"
> engines:  dynamic
>
> Please let me know if you need any further details from my end.
>
> Thanks, in advance.
> Chandu


-- 
Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10 
<call:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list