Re: openssl failed to connect to MS Exchange Server (Office365) on RHEL 7.x

Chandu Gangireddy <cgcyient@xxxxxxxxx> · Sat, 11 May 2019 15:09:31 -0400

Thank you so much for the response Jakob.
Yes I agree with you about the connection succeeded and later rejected on credentials part. The same worked from all the RHEL Version below 7 so I was thinking it might be a issue at OS level. 

Based on your suggestion, I feel that the issue is with the Exchange Server. Please double confirm.

Thanks and Regards
Chandu 

On Sat, May 11, 2019, 3:02 PM Jakob Bohm via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
Your transcript below seems to show a successful connection to Microsoft's

cloud mail, then Microsoft rejecting the password and closing the 

connection.

You are not connecting to your own Exchange server, but to a central 

Microsoft

service that also handles their consumer mail accounts (hotmail.com, 

live.com,

outlook.com etc.).  This service load balances connections between many 

servers

which cab give different results for each try.

On 10/05/2019 17:01, Chandu Gangireddy wrote:

> Dear OpenSSL Users,

>

> At my corporate environment, I'm experience a challenge to use openssl 

> s_client utility. I really appreciate if someone can help me narrow 

> down the issue.

>

> Here the details -

>

> Platform: RHEL 7.x

> *Openssl version:*

> OpenSSL 1.0.2k-fips  26 Jan 2017

> built on: reproducible build, date unspecified

> platform: linux-x86_64

> options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) 

> idea(int) blowfish(idx)

> compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB 

> -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT 

> -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 

> -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 

> -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY 

> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 

> -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM 

> -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM 

> -DGHASH_ASM -DECP_NISTZ256_ASM

> OPENSSLDIR: "/etc/pki/tls"

> engines:  rdrand dynamic

>

> Command tried to tes the connectivity between my Linux client server 

> to remote office 365 exchange server using POP3 port -

>

> $ openssl s_client -crlf -connect outlook.office365.com:995 

> <http://outlook.office365.com:995>

> ...

> ...

> subject=/C=US/ST=Washington/L=Redmond/O=Microsoft 

> Corporation/CN=outlook.com <http://outlook.com>

> issuer=/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1

> ---

> No client certificate CA names sent

> Peer signing digest: SHA256

> Server Temp Key: ECDH, P-256, 256 bits

> ---

> SSL handshake has read 3952 bytes and written 415 bytes

> ---

> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

> Server public key is 2048 bit

> Secure Renegotiation IS supported

> Compression: NONE

> Expansion: NONE

> No ALPN negotiated

> SSL-Session:

>     Protocol  : TLSv1.2

>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384

>     Session-ID: 

> 072F0000FFDC6177DE9CAB2B59EA06E486A25AD8A2882A9B82F16678BAD74E79

>     Session-ID-ctx:

>     Master-Key: 

> DD7B59F38867FEAB9656B519FBCD743158E528C63FF9A96CE758120424159F26967F9F6FE57A9B5E7CAD806798322278

>     Key-Arg   : None

>     Krb5 Principal: None

>     PSK identity: None

>     PSK identity hint: None

>     Start Time: 1557500061

>     Timeout   : 300 (sec)

>     Verify return code: 0 (ok)

> ---

> +OK The Microsoft Exchange POP3 service is ready. 

> [QgBOADYAUABSADEANABDAEEAMAAwADQAMgAuAG4AYQBtAHAAcgBkADEANAAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]

> *USER netcool2@xxxxxxx <mailto:netcool2@xxxxxxx>*

> *+OK*

> *PASS XXXXXXXX*

> *-ERR Logon failure: unknown user name or bad password.*

> *quit*

> *+OK Microsoft Exchange Server POP3 server signing off.*

> *read:errno=0*

>

> Operating System:

> Red Hat Enterprise Linux Server release 7.2 (Maipo)

>

> When I did the same from a different server, it worked as expected. 

> Following are the two difference which I noticed between a working 

> server and non-working server.

> *

> *

> *Working server details:*

> 1. Red Hat Enterprise Linux Server release 6.9 (Santiago)

> 2. openssl version

> OpenSSL 1.0.1e-fips 11 Feb 2013

> built on: Mon Jan 30 07:47:24 EST 2017

> platform: linux-x86_64

> options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) 

> idea(int) blowfish(idx)

> compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS 

> -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN 

> -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 

> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic 

> -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 

> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM 

> -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM 

> -DWHIRLPOOL_ASM -DGHASH_ASM

> OPENSSLDIR: "/etc/pki/tls"

> engines:  dynamic

>

> Please let me know if you need any further details from my end.

>

> Thanks, in advance.

> Chandu

-- 

Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com

Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10 

<call:+4531131610>

This message is only for its intended recipient, delete if misaddressed.

WiseMo - Remote Service Management for PCs, Phones and Embedded