Exchange 2010 SSL/TLS certificate presenting on port 25
Hello Experts,
I have an issue that I am not sure where to begin to fix. We have an SSL cert for our Exchange 2010 server that is used for IIS, SMTP, POP and IMAP.
We have several Ubuntu servers that connect to the exchange server via TLS. starting today, our linux admin says that the cert is not being presented when connecting to port 25 but it is when connecting to port 443.
I am not sure where to look for this. My understanding was, as long as the SSL cert is installed and assigned to services, it will present the cert.
the command our linux admin is using is:
echo | openssl s_client -ssl3 -msg -state -connect name of exchange server:25
echo | openssl s_client -ssl3 -msg -state -connect name of exchange server:443
when using port 25 a message comes up that says:
SSL3 alert write:fatal:handshake failure
SSL_connect:error in SSLv3 read server hello A
140027732485792:error:1408
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1446577982
Timeout : 7200 (sec)
Verify return code: 0 (ok)
when using 443 it shows the certificate, the issuer and the SSL-Session.
I am not familiar with these linux commands so I am not 100% sure what its doing. The linux admin said it was working yesterday but I can't verify that.
I'm not sure how to tell exchange to present the certificate on port 25. I've always assumed that was a given.
I have an issue that I am not sure where to begin to fix. We have an SSL cert for our Exchange 2010 server that is used for IIS, SMTP, POP and IMAP.
We have several Ubuntu servers that connect to the exchange server via TLS. starting today, our linux admin says that the cert is not being presented when connecting to port 25 but it is when connecting to port 443.
I am not sure where to look for this. My understanding was, as long as the SSL cert is installed and assigned to services, it will present the cert.
the command our linux admin is using is:
echo | openssl s_client -ssl3 -msg -state -connect name of exchange server:25
echo | openssl s_client -ssl3 -msg -state -connect name of exchange server:443
when using port 25 a message comes up that says:
SSL3 alert write:fatal:handshake failure
SSL_connect:error in SSLv3 read server hello A
140027732485792:error:1408
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1446577982
Timeout : 7200 (sec)
Verify return code: 0 (ok)
when using 443 it shows the certificate, the issuer and the SSL-Session.
I am not familiar with these linux commands so I am not 100% sure what its doing. The linux admin said it was working yesterday but I can't verify that.
I'm not sure how to tell exchange to present the certificate on port 25. I've always assumed that was a given.
ASKER
What about when starting a TLS session on port 25?
Sorry read it too fast. Any updates to the servers, changes to the certificate, changes to the TLS settings on the Exchange server or Ubuntu servers?
Seems like they can't agree on a protocol version. Are there older versions of TLS, SSL enabled?
Seems like they can't agree on a protocol version. Are there older versions of TLS, SSL enabled?
ASKER
No updates to the exchange server or certs. I will ask about linux updates.
I used a powershell script and a program called IIS Crypto about a year or so ago to remove all the weak ciphers. But i havent changed anything since. Below is a pic of what I have enabled. This hasn't changed for a while.
I used a powershell script and a program called IIS Crypto about a year or so ago to remove all the weak ciphers. But i havent changed anything since. Below is a pic of what I have enabled. This hasn't changed for a while.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
when i sent the screenshot i got to thinking the same thing. but if i change the port from 25 to 443, it responds back with the cert info.
ASKER
My Linux admin never got back with me after i asked him the question. So I am thinking it's something on his end.
Port 25 will not show the certificate and will not start the handshake. It is an unsecured SMTP port. You need to use port 443 for this purpose.