Exchange 2003 and SSL23_GET_SERVER_HELLO

Fri, 10 Jul 2009 21:31:32 -0700 

Hello all,

Trying to connect to an Exchange 2003 SP2 Virtual SMTP Server with
s_client but get the following (OpenSSL 0.9.8g):

openssl s_client -connect mail.somehost.com:587 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
1520:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:583:

openssl s_client -connect mail.somehost.com:587 -state -ssl2
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2 write client hello A
(cursor waiting)

openssl s_client -connect mail.somehost.com:587 -state -ssl3
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL3 alert write:fatal:handshake failure
SSL_connect:error in SSLv3 read server hello A
1694:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:284:


openssl s_client -connect mail.somehost.com:587 -state -starttls smtp
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
***certificate ***
...
SSL handshake has read 1022 bytes and written 335 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: xxxxx ...
    Session-ID-ctx:
    Master-Key: xxxxx ...
    Key-Arg   : None
    Start Time: 1247280228
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

The certificate on the Exchange Server was self-signed and was created
through the IIS SelfCert tool.  I thought perhaps the certificate
wasn't trusted but it seems to be failing at the handshake phase; I
double-checked by trying out Google's mail server (smtp.gmail.com)
which supports SSL/TLS and while the certificate says it's untrusted,
I still get a 250 OK, so I'm not thinking it's the certificate.

Tried it on another box running 0.9.8a, same results.  I'm definitely
not ruling out a poorly-configured Exchange box -- I've gone through
dozens of technet and web articles and everything *should* be working,
but clearly it's not.

Any ideas?  I've been banging away at this for the last couple days
and am at wit's end... any help greatly appreciated.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to