PHP Classes

TLS-Support (Exchange POP3 Service)

Recommend this page to a friend!

      POP3 e-mail client  >  All threads  >  TLS-Support (Exchange POP3 Service)  >  (Un) Subscribe thread alerts  
Subject:TLS-Support (Exchange POP3 Service)
Summary:no TLS connect to Ex2010 possible
Messages:5
Author:Max Mustermann
Date:2016-06-07 17:05:47
 

  1. TLS-Support (Exchange POP3 Service)   Reply   Report abuse  
Picture of Max Mustermann Max Mustermann - 2016-06-07 17:05:47
Hello,

I have a fresh-installed Exchange 2010 Server. Uncrypted and TLS POP3-connections default port is 110. Only SSL is on 995. I want to connect via TLS. (Bindings)

The authentifcation-method in Exchange is "Secure logon. A TLS connection is required for the client to authenticate to the server."

My Config:
----------------
$pop3=new pop3_class;
$pop3->hostname="localhost";
$pop3->port=110;
$pop3->tls=1;
$user="user1@testlab.local";
$password="secret";
$pop3->realm="";
$pop3->workstation="";
$apop=0;
$pop3->authentication_mechanism="USER";
$pop3->debug=1;
$pop3->html_debug=1;
$pop3->join_continuation_header_lines=1;


Output from test_pop3.php:
-----------------------------
Error: 0 could not connect to the host "localhost"

...in pop3.php I change in function OpenConnection:
from if(($this->connection=@fsockopen
to if(($this->connection=fsockopen
(remove the '@' to get the errormessage)

Output:
-----------------
Connecting 1 to localhost ...

Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number in C:\inetpub\wwwroot\pop3.php on line 144

Warning: fsockopen(): Failed to enable crypto in C:\inetpub\wwwroot\pop3.php on line 144

Warning: fsockopen(): unable to connect to tls://localhost:110 (Unknown error) in C:\inetpub\wwwroot\pop3.php on line 144



Now, after more than 3 hours of try&error, I need your help.
PHP-OpenSSL-Extionsion is in php.ini active.

Running with PHP5.6.22 on Win2008R2 IIS-Webserver.

Thank you
Olli

  2. Re: TLS-Support (Exchange POP3 Service)   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2016-06-07 17:46:20 - In reply to message 1 from Max Mustermann
It seems PHP is using SSLv3 instead of TLS. You need to make sure PHP is enabled with OpenSSL version that supports TLS. If it is a old version, you need to upgrade.

  3. Re: TLS-Support (Exchange POP3 Service)   Reply   Report abuse  
Picture of Max Mustermann Max Mustermann - 2016-06-07 18:23:30 - In reply to message 2 from Manuel Lemos
Hello Manuel,

I tried an old PHP5.4-version and the GA PHP Version 5.6.22 too. Same error. Also upgraded Exchange 2010 from RTM to SP3 -> same error.
Windows, ActiveDirectory and Exchange all "fresh & out from the box" without any 3rd apps installed (virtuel machine testlab).

PHP-Info from PHP Version 5.6.22:

--- openssl ---
OpenSSL support: enabled
OpenSSL Library Version: OpenSSL 1.0.1t 3 May 2016
OpenSSL Header Version: OpenSSL 1.0.1t 3 May 2016
Openssl default config: c:/usr/local/ssl/openssl.cnf

Directive Local Value Master Value
openssl.cafile no value no value
openssl.capath no value no value

  4. Re: TLS-Support (Exchange POP3 Service)   Reply   Report abuse  
Picture of Max Mustermann Max Mustermann - 2016-06-07 19:00:07 - In reply to message 3 from Max Mustermann
Helpful?

###################################################################################################

C:\Program Files\VMware\VMware Tools>openssl s_client -connect localhost:110
WARNING: can't open config file: C:\Program Files (x86)\VMware\OpenSSL/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(00000110)
6916:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---






###################################################################################################




C:\Program Files\VMware\VMware Tools>openssl s_client -crlf -connect localhost:110 -starttls pop3
WARNING: can't open config file: C:\Program Files (x86)\VMware\OpenSSL/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(00000110)
depth=0 CN = vm-ex2010
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = vm-ex2010
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=vm-ex2010
i:/CN=vm-ex2010
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDFjCCAf6gAwIBAgIQQAfPju8th75PjxNZCvXKjDANBgkqhkiG9w0BAQUFADAU
MRIwEAYDVQQDEwl2bS1leDIwMTAwHhcNMTYwNjA3MTQwMzUyWhcNMjEwNjA3MTQw
MzUyWjAUMRIwEAYDVQQDEwl2bS1leDIwMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDZzXbX1qTG21mIjLtgnGUsGb09Rj148z8WZJr7joBy0nlWGNiO
+2Jvu3LPnIr2JyVYSSHZffQsBFCbtvQmzW4rNn6XgpUJrgNIBYAwcsZJibkF9GFr
HkfRT5W6WJHOG5/6Y7xvNb0Jh5KO2HHin5wGihcW1I69PwUSrkNeFG3HpPnA1894
OOStKA2LkW0twMVFOGIWAkWD4bb0Vg8HahR1ZPdws73Faf0Ea/tJ9D4eRYXFBULU
X5QeyI0Uhlo4Pn/XLoMGckLtQHc066sjrWHWYL4LKZg7NPrrH0J80x1z7S5i6u49
qQq9osMpWjOSWu6KRms7WNDTJ/VzXZctiwXZAgMBAAGjZDBiMA4GA1UdDwEB/wQE
AwIFoDAtBgNVHREEJjAkggl2bS1leDIwMTCCF3ZtLWV4MjAxMC5kb20yMDEwLmxv
Y2FsMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
AQEFBQADggEBAJtiSlvPjnF0nkDeQ60ZNrEwVaI+Aj/xFD0kZ3cqiiIE8SuUS9vM
z5lmzjtk8Ip8mKCrt3kShjUWzlZbQtgYEJM19H1mBm0gDF1/i4zwZMuVKHiisDfD
ZYCVeAiG0VJor6UY/vyu0I7j2+v7ASRc+sE9Zii39QDmv+BTpYFNkvSn3LJ2CZMv
D67GW0xObP8XImvTRx92rkoX9rWd6UXo68IYO4qrG/M3J1Qp2Pf14p0vE0IYSnSD
tCN6cHGWcUyGiu2xbSqdRLlvCjQie0GJRHPZ/ilXrv848epEXltazJbqR6K28KWO
UpLSCrQk8N7sEgwsk+IOOjQ1Q57pRnfpW3A=
-----END CERTIFICATE-----
subject=/CN=vm-ex2010
issuer=/CN=vm-ex2010
---
No client certificate CA names sent
---
SSL handshake has read 1032 bytes and written 627 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 533A000084FBC9E8BE688D6D65ABFB38C2C448FF9EA983EE6C9C103773B14CA5

Session-ID-ctx:
Master-Key: DB05076195D5F46A3F12CE6C102F3AAFAD8008C21B408D8429DF705CB63E6ADDAC03CD6FAB854B80C0E12FF2472413DB
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1465325696
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
+OK The Microsoft Exchange POP3 service is ready.
user max
+OK



  5. Re: TLS-Support (Exchange POP3 Service)   Reply   Report abuse  
Picture of Max Mustermann Max Mustermann - 2016-06-07 19:04:58 - In reply to message 4 from Max Mustermann
from phpinfo:
Registered Stream Socket Transports:
tcp, udp, ssl, sslv3, tls, tlsv1.0, tlsv1.1, tlsv1.2