Hardening SSL/TLS and Outlook for Mac

As part of hardening of servers, which publish services and in times of Poodle, you might want to disable SSL (if not already done). You can test your client here and your server/service endpoint here.

Most likely you already disabled SSL on your server, but if not:

Can you do it right away?

Of course you can do it right away. Is there a caveat? It depends….

It depends whether a client depends on SSL or not.

Lately I was involded in an issue, where users complained about not beeing able to connect to Exchange anymore. They were using Outlook for Mac in the latest version. Some reported they cannot connect when switching networks while others were able. So it was really confusing. After some troubleshooting we at least could isolate the issue to users, which switched from corporate Lan to external. But still some had no issues. After some time we narrowed it down that those users, who had disabled Autodiscover function within Outlook for Mac, which could be done as described here, had no issues.

Further more we finally found the reason:

The client, which came from corporate Lan, tried to connect to Autodiscover in order to retrieve the latest settings as he couldn’t connect to the internal endpoint for Exchange. This is a normal behavior and by design and more info could be found here. But the couldn’t retrieve any data from Autodiscover. The ones with the disabled Autodiscover function had the external endpoint configured and therefore it was no problem for them (split DNS). But why couldn’t the clients retrieve any data from Autodiscover?

To understand this you need to know that Autodiscover had a different IP than the EWS endpoint. And also different settings applied:

  • Renego was disabled

We confirmed this in some network traces. Here a bad trace of a client outside corporate Lan

SanitizedNoCipherChange

We can see only SSLv2 request, which were not answered. Now a good trace inside corporate Lan

SanitizedCipherChange

Here we can see that there was a change in the cipher from SSLv2 to TLSv1. Now I need only confirmation and I found the following KB:

Outlook for Mac clients cannot connect to Exchange Server

The connection failure occurs because Outlook for Mac uses SSL to establish communication with an Exchange server. When SSL is disabled and secure renegotiation is implemented as defined in RFC 5746

, Outlook requires the server to be in Compatible mode so that the session can be renegotiated from SSL to Transport Layer Security (TLS). 

Okay…..I’m astonished about the facts. Of course we allowed Renego and solved the issue.

Outlook for Mac was so far the only client we found who relies on SSLv2. This also applies to the latest version Outlook for Mac for Office 365

Conclusion:

Always check capabilities of your clients!

Advertisements

One thought on “Hardening SSL/TLS and Outlook for Mac

  1. Pingback: C7 Solutions | SSL and Exchange Server

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s