Wednesday, October 4, 2017

Issues with POP/IMAP Certificates with Exchange Online.



From time to time Microsoft will update the certificates that are installed on their services. Most applications are able to handle these changes by trusting the intermediate and root certificate issuers. There are some Java-based applications that aren't able to trust via this method and have to trust the issued certificate from the server.


You might not notice this right away due to how updates are rolled out in Office 365. You might see occasional connectivity issues and then it will increase as more and more systems are deployed with a new certificate.


The easy way to fix this is to use openssl to query for the certificate information and then add it to the trusted certificates.




Microsoft has released a list of their Office 365 certificate chains. You can download the Root and Intermediates all in one bundle


http://aka.ms/o365chains



Some examples to get the certificates across the different services that are typically used by these java based applications.


SMTP:
openssl s_client -connect  smtp.office365.com:25 -starttls smtp -showcerts


IMAP:
openssl s_client -connect outlook.office365.com:993 -showcerts


POP:
openssl s_client -connect outlook.office365.com:995 -showcerts


Here's an example of what you will get back. Just copy the text from -----BEGIN CERTIFICATE----- through to -----END CERTIFICATE-----

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU =
www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
-----BEGIN CERTIFICATE-----
MIIG5jCCBc6gAwIBAgIQCEk1QQl15BPr8HS7dAzpQjANBgkqhkiG9w0BAQsFADBL
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSUwIwYDVQQDExxE
aWdpQ2VydCBDbG91ZCBTZXJ2aWNlcyBDQS0xMB4XDTE3MDQwMzAwMDAwMFoXDTE4
MDQwMzEyMDAwMFowajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
bjEUMBIGA1UEAxMLb3V0bG9vay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCjH9qOsRSguI4b7CbtHxKERlrP3FlKju/qX8MlKZ8binIUaTRa3xVx
I9KTHqSR/5HunBlL6yQzeu91zOBVbRcj/9U6bETb2v5VX/px8/mi3VxgKLpBAIAm
XqpUzc5DbUAQEaHHJRHGx/GuFUfLseFwRL18sltcZuDhIcy8WWWLuSvtOA0hE5ed
/1zjHDnYjQKZGY1X5oXl5DhzxQqjuyBUVccV7IsbDv8Sm9g3AGXrO5Kc5w9Ar8DL
y8slVqS8KTHCSzgyr5B6Z3+An1gqFBpv8OWOLJcz/h3+APARiTYOQs890M7/mhYU
JQ1yUBtkuQAk1OaEdMkBSWPohfs6D3Y5AgMBAAGjggOlMIIDoTAfBgNVHSMEGDAW
gBTdUdCiMXOpc66PtAF+XYxXy5/w9zAdBgNVHQ4EFgQUPhk/Xxb/e/Hr30D5gAWb
yHeaEvUwggHEBgNVHREEggG7MIIBt4IWKi5jbG8uZm9vdHByaW50ZG5zLmNvbYIN
Ki5ob3RtYWlsLmNvbYIWKi5pbnRlcm5hbC5vdXRsb29rLmNvbYIKKi5saXZlLmNv
bYIMKi5vZmZpY2UuY29tgg8qLm9mZmljZTM2NS5jb22CDSoub3V0bG9vay5jb22C
Fyoub3V0bG9vay5vZmZpY2UzNjUuY29tghthdHRhY2htZW50Lm91dGxvb2subGl2
ZS5uZXSCHWF0dGFjaG1lbnQub3V0bG9vay5vZmZpY2UubmV0giBhdHRhY2htZW50
Lm91dGxvb2sub2ZmaWNlcHBlLm5ldIIdY2NzLmxvZ2luLm1pY3Jvc29mdG9ubGlu
ZS5jb22CIWNjcy1zZGYubG9naW4ubWljcm9zb2Z0b25saW5lLmNvbYILaG90bWFp
bC5jb22CFm1haWwuc2VydmljZXMubGl2ZS5jb22CDW9mZmljZTM2NS5jb22CC291
dGxvb2suY29tghJvdXRsb29rLm9mZmljZS5jb22CFHN1YnN0cmF0ZS5vZmZpY2Uu
Y29tghhzdWJzdHJhdGUtc2RmLm9mZmljZS5jb20wDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBjQYDVR0fBIGFMIGCMD+gPaA7
hjlodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRDbG91ZFNlcnZpY2Vz
Q0EtMS1nMS5jcmwwP6A9oDuGOWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp
Q2VydENsb3VkU2VydmljZXNDQS0xLWcxLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
MAgGBmeBDAECAjB8BggrBgEFBQcBAQRwMG4wJQYIKwYBBQUHMAGGGWh0dHA6Ly9v
Y3NweC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6Ly9jYWNlcnRzLmRp
Z2ljZXJ0LmNvbS9EaWdpQ2VydENsb3VkU2VydmljZXNDQS0xLmNydDAMBgNVHRMB
Af8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAI0glV8gV9GzTnmybQngf5dhCrXPfD
2/v0DwcTYN89EJw7u6JQEif5FxMhxUwpnZs+K7qhloeb2qb3f8UcOGStWfas+YT1
Rs6UuGa33Oyd+MXtondOwM48AKp40zh8BL0u6JZR0Yoc4S66+pqlAAc+a6K7Mchh
nrjRF0UNzIE4O+xywYsMPtxltQeXyMA0/y4ISlPMWMhhpyoloRz2m5uXv8DxTYao
xAYnKgZy7kKDfzl4T3TSkcCMqyQlRhsAwcj+RWZ92PaYbkR2FcgNPEzmMTWONGup
2YvvNHQEmJtETFtUtthCm6MM0CdDTYBzdOmWO9QkfJN/t+Rg1hxqYpog
-----END CERTIFICATE-----
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQAZ7Bxr0/WXuyDDM45VHYdzANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNTA4MDQxMjAwMDBaFw0zMDA4MDQxMjAwMDBaMEsxCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJTAjBgNVBAMTHERpZ2lDZXJ0IENsb3Vk
IFNlcnZpY2VzIENBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR
rfaHFHlUJ1fHLwVoPJs8zWfsRRAshPKkR8TZU0JFCbvk/jPB17xGL9GL5re1Z3h8
anC+/bjltlTPTF6suCJ0c1UpCHPIZPfQlQkOeYNQv1/11MybQmGOgAS5QarOThKZ
m6zWxb5bAnO1FqSrcWLUmOpAOYWm9rsv6OeHwov2nDLN7Pg+v4nndCOCS9rqv3Om
JTz9v6nlaP/4MKJgxzsuo/PFfzs7/Q8xoXx0D9C/FMS9aPGl52un35sAfkYlTubo
E/P2BsfUbwsnIEJdYbw/YNJ8lnLJfLCL//lIBVME+iKvt81RXW3dkHQD8DNP9MfA
PlZGR69zIIvcej6j8l3/AgMBAAGjggFaMIIBVjASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTB7BgNVHR8EdDByMDegNaAzhjFodHRwOi8v
Y3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxSb290Q0EuY3JsMDegNaAz
hjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxSb290Q0Eu
Y3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3
dy5kaWdpY2VydC5jb20vQ1BTMB0GA1UdDgQWBBTdUdCiMXOpc66PtAF+XYxXy5/w
9zAfBgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTANBgkqhkiG9w0BAQsF
AAOCAQEACCnEyKb+tDgo96MZZ4zqBTsOS0BiYh48FMYF3DanTzJxRgVegB1ca/Bt
bdkhdgu9RsS5ZpdN/4AUeodphLLW/8kWcL6jzIshre5cjSStwo+Z4MyeigkDuA+a
tVuQKyr316UvSmWoxOTFx3GplkZPq21LKhbL8ak79h8hObTrrWAEgpsSv96r0kYd
DA07dgL5C9XOU4VCeylNRtGLzWTsIRZPLwFDWNFl7Vyl+0Sg0lDo3mbEtjGehzMD
sMnGSxLnWzWU2UbOMeu/uPaeC4SFgiJWxCOEVOdSMwwlyxrsRFUPY5Zys80ZXn4O
J4XVpOqw4qXcBiklkOjOLOnp0Hzvzg==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3487 bytes and written 487 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 250E00000330A8580D7594629C0C7C9C73D0B0CE5FA52F343076FAB57287DBAA
    Session-ID-ctx:
    Master-Key: C92EBAA17285AB6D42D920AE69F2A96210BCAD1C08580951DD26E726150A60F8A0C568211E53C62B645944E016A51E87
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1507156597
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK The Microsoft Exchange POP3 service is ready. [QgBOADYAUABSADEANgBDAEEAMAAwADIAMgAuAG4AYQBtAHAAcgBkADEANgAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]

No comments:

Post a Comment