Hi Viktor, Many thanks for your help. The server only allows sepcifc IP, so I am afraid that internet can't acees this server. I will try to dump the package to compare it. So may I know if exchange server will only pick one of 64 ciphers list provided by client? or there is the limitation on openssl client just sent out 64 cipher list during handshake?
PS: I am using openssl 1.0.1e. openssl version -a OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Tue Apr 8 02:39:29 UTC 2014 platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/etc/pki/tls" engines: rdrand dynamic /usr/bin/openssl version -a OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Tue Apr 8 02:39:29 UTC 2014 platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/etc/pki/tls" engines: rdrand dynamic Regards, King 2015-05-21 18:13 GMT+08:00 Viktor Dukhovni <postfix-us...@dukhovni.org>: > On Thu, May 21, 2015 at 04:10:36PM +0800, King Cao wrote: > > > I execute openssl and posttls-finger on the same machine, below are the > ldd > > output. > > > > ldd /usr/bin/openssl > > ... > > libssl.so.10 => /usr/lib64/libssl.so.10 (0x0000003b66c00000) > > libcrypto.so.10 => /usr/lib64/libcrypto.so.10 > (0x0000003b64400000) > > ... > > Is this the first "openssl" on your PATH? Your examples are > for "openssl" without an explicit "/usr/bin" prefix. > > > ldd ./posttls-finger > > ... > > libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f4f16516000) > > libcrypto.so.10 => /usr/lib64/libcrypto.so.10 > (0x00007f4f16135000) > > ... > > This is I am guesing OpenSSL 1.0.x. Please post the output of: > > "openssl version -a" > > and > > "/usr/bin/openssl version -a" > > > > > # openssl ciphers 'ALL:+RC4:!3DES:@STRENGTH' -v| egrep -n 'RC4-MD5' > > This is not the right way to find the offset, because you're counting > ciphers that are disabled in the absence of SRP or PSK shared > secrets and/or Kerberos credentials. To really determine what the > difference is, decode the two SSL client HELO messages with wireshark. > > Also, not disclosing the server name or IP address is a major > impediment to getting help with this issue. I am much less effective > when blindfolded. > > -- > Viktor. >
