openssl failed to connect to MS Exchange Server (Office365) on RHEL 7.x

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl failed to connect to MS Exchange Server (Office365) on RHEL 7.x

Chandu Gangireddy
Dear OpenSSL Users,

At my corporate environment, I'm experience a challenge to use openssl s_client utility. I really appreciate if someone can help me narrow down the issue.

Here the details -

Platform: RHEL 7.x
Openssl version:
OpenSSL 1.0.2k-fips  26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic 

Command tried to tes the connectivity between my Linux client server to remote office 365 exchange server using POP3 port -

$ openssl s_client -crlf -connect outlook.office365.com:995
...
...
subject=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3952 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 072F0000FFDC6177DE9CAB2B59EA06E486A25AD8A2882A9B82F16678BAD74E79
    Session-ID-ctx: 
    Master-Key: DD7B59F38867FEAB9656B519FBCD743158E528C63FF9A96CE758120424159F26967F9F6FE57A9B5E7CAD806798322278
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1557500061
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK The Microsoft Exchange POP3 service is ready. [QgBOADYAUABSADEANABDAEEAMAAwADQAMgAuAG4AYQBtAHAAcgBkADEANAAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
+OK
PASS XXXXXXXX
-ERR Logon failure: unknown user name or bad password.
quit
+OK Microsoft Exchange Server POP3 server signing off.
read:errno=0

Operating System:
Red Hat Enterprise Linux Server release 7.2 (Maipo)

When I did the same from a different server, it worked as expected. Following are the two difference which I noticed between a working server and non-working server.

Working server details:
1. Red Hat Enterprise Linux Server release 6.9 (Santiago)
2. openssl version 
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Jan 30 07:47:24 EST 2017
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  dynamic 

Please let me know if you need any further details from my end.

Thanks, in advance.
Chandu
Reply | Threaded
Open this post in threaded view
|

Re: openssl failed to connect to MS Exchange Server (Office365) on RHEL 7.x

OpenSSL - User mailing list
Your transcript below seems to show a successful connection to Microsoft's
cloud mail, then Microsoft rejecting the password and closing the
connection.

You are not connecting to your own Exchange server, but to a central
Microsoft
service that also handles their consumer mail accounts (hotmail.com,
live.com,
outlook.com etc.).  This service load balances connections between many
servers
which cab give different results for each try.

On 10/05/2019 17:01, Chandu Gangireddy wrote:

> Dear OpenSSL Users,
>
> At my corporate environment, I'm experience a challenge to use openssl
> s_client utility. I really appreciate if someone can help me narrow
> down the issue.
>
> Here the details -
>
> Platform: RHEL 7.x
> *Openssl version:*
> OpenSSL 1.0.2k-fips  26 Jan 2017
> built on: reproducible build, date unspecified
> platform: linux-x86_64
> options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int)
> idea(int) blowfish(idx)
> compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB
> -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT
> -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
> -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4
> -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY
> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
> -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
> -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
> -DGHASH_ASM -DECP_NISTZ256_ASM
> OPENSSLDIR: "/etc/pki/tls"
> engines:  rdrand dynamic
>
> Command tried to tes the connectivity between my Linux client server
> to remote office 365 exchange server using POP3 port -
>
> $ openssl s_client -crlf -connect outlook.office365.com:995
> <http://outlook.office365.com:995>
> ...
> ...
> subject=/C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=outlook.com <http://outlook.com>
> issuer=/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 3952 bytes and written 415 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID:
> 072F0000FFDC6177DE9CAB2B59EA06E486A25AD8A2882A9B82F16678BAD74E79
>     Session-ID-ctx:
>     Master-Key:
> DD7B59F38867FEAB9656B519FBCD743158E528C63FF9A96CE758120424159F26967F9F6FE57A9B5E7CAD806798322278
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1557500061
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> +OK The Microsoft Exchange POP3 service is ready.
> [QgBOADYAUABSADEANABDAEEAMAAwADQAMgAuAG4AYQBtAHAAcgBkADEANAAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
> *USER [hidden email] <mailto:[hidden email]>*
> *+OK*
> *PASS XXXXXXXX*
> *-ERR Logon failure: unknown user name or bad password.*
> *quit*
> *+OK Microsoft Exchange Server POP3 server signing off.*
> *read:errno=0*
>
> Operating System:
> Red Hat Enterprise Linux Server release 7.2 (Maipo)
>
> When I did the same from a different server, it worked as expected.
> Following are the two difference which I noticed between a working
> server and non-working server.
> *
> *
> *Working server details:*
> 1. Red Hat Enterprise Linux Server release 6.9 (Santiago)
> 2. openssl version
> OpenSSL 1.0.1e-fips 11 Feb 2013
> built on: Mon Jan 30 07:47:24 EST 2017
> platform: linux-x86_64
> options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int)
> idea(int) blowfish(idx)
> compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS
> -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN
> -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
> -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
> -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM
> -DWHIRLPOOL_ASM -DGHASH_ASM
> OPENSSLDIR: "/etc/pki/tls"
> engines:  dynamic
>
> Please let me know if you need any further details from my end.
>
> Thanks, in advance.
> Chandu


--
Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10
<call:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
Reply | Threaded
Open this post in threaded view
|

Re: openssl failed to connect to MS Exchange Server (Office365) on RHEL 7.x

Chandu Gangireddy
Thank you so much for the response Jakob.

Yes I agree with you about the connection succeeded and later rejected on credentials part. The same worked from all the RHEL Version below 7 so I was thinking it might be a issue at OS level. 

Based on your suggestion, I feel that the issue is with the Exchange Server. Please double confirm.

Thanks and Regards
Chandu 

On Sat, May 11, 2019, 3:02 PM Jakob Bohm via openssl-users <[hidden email]> wrote:
Your transcript below seems to show a successful connection to Microsoft's
cloud mail, then Microsoft rejecting the password and closing the
connection.

You are not connecting to your own Exchange server, but to a central
Microsoft
service that also handles their consumer mail accounts (hotmail.com,
live.com,
outlook.com etc.).  This service load balances connections between many
servers
which cab give different results for each try.

On 10/05/2019 17:01, Chandu Gangireddy wrote:
> Dear OpenSSL Users,
>
> At my corporate environment, I'm experience a challenge to use openssl
> s_client utility. I really appreciate if someone can help me narrow
> down the issue.
>
> Here the details -
>
> Platform: RHEL 7.x
> *Openssl version:*
> OpenSSL 1.0.2k-fips  26 Jan 2017
> built on: reproducible build, date unspecified
> platform: linux-x86_64
> options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int)
> idea(int) blowfish(idx)
> compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB
> -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT
> -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
> -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4
> -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY
> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
> -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
> -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
> -DGHASH_ASM -DECP_NISTZ256_ASM
> OPENSSLDIR: "/etc/pki/tls"
> engines:  rdrand dynamic
>
> Command tried to tes the connectivity between my Linux client server
> to remote office 365 exchange server using POP3 port -
>
> $ openssl s_client -crlf -connect outlook.office365.com:995
> <http://outlook.office365.com:995>
> ...
> ...
> subject=/C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=outlook.com <http://outlook.com>
> issuer=/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 3952 bytes and written 415 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID:
> 072F0000FFDC6177DE9CAB2B59EA06E486A25AD8A2882A9B82F16678BAD74E79
>     Session-ID-ctx:
>     Master-Key:
> DD7B59F38867FEAB9656B519FBCD743158E528C63FF9A96CE758120424159F26967F9F6FE57A9B5E7CAD806798322278
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1557500061
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> +OK The Microsoft Exchange POP3 service is ready.
> [QgBOADYAUABSADEANABDAEEAMAAwADQAMgAuAG4AYQBtAHAAcgBkADEANAAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]
> *USER [hidden email] <mailto:[hidden email]>*
> *+OK*
> *PASS XXXXXXXX*
> *-ERR Logon failure: unknown user name or bad password.*
> *quit*
> *+OK Microsoft Exchange Server POP3 server signing off.*
> *read:errno=0*
>
> Operating System:
> Red Hat Enterprise Linux Server release 7.2 (Maipo)
>
> When I did the same from a different server, it worked as expected.
> Following are the two difference which I noticed between a working
> server and non-working server.
> *
> *
> *Working server details:*
> 1. Red Hat Enterprise Linux Server release 6.9 (Santiago)
> 2. openssl version
> OpenSSL 1.0.1e-fips 11 Feb 2013
> built on: Mon Jan 30 07:47:24 EST 2017
> platform: linux-x86_64
> options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int)
> idea(int) blowfish(idx)
> compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS
> -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN
> -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
> -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
> -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM
> -DWHIRLPOOL_ASM -DGHASH_ASM
> OPENSSLDIR: "/etc/pki/tls"
> engines:  dynamic
>
> Please let me know if you need any further details from my end.
>
> Thanks, in advance.
> Chandu


--
Jakob Bohm, CIO, partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10
<call:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded