Question
129 views

Office 365 SMTP and REST servers randomly presenting different SSL Certificates

BVStone asked on

Today I had a few customers contact me with some SSL issues using our 3rd party email product for the IBM i (AS400).

We have integrated it successfully with Office 365, both the SMTP server (smtp.office365.com) and the RESTful API (outlook.office.com:443/api/v2.0/me/sendmail).

Both are randomly presenting different SSL certificates.  I was able to capture two different certificates for the RESTful API, but I haven't yet for the SMTP server.

The reason this causes issues is because on our machine we need to manually import any Certificate Authorities used with SSL/TLS.  And if they change, we can't always be sure we'll grab one of the two when using openSSL.

Here are examples of the RESTful API SSL certificates that I have received:

Certificate 1:

-----BEGIN CERTIFICATE-----
MIII6jCCB9KgAwIBAgIMClNGf9As464mLGTiMA0GCSqGSIb3DQEBCwUAMGIxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTgwNgYDVQQDEy9H
bG9iYWxTaWduIEV4dGVuZGVkIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMzAe
Fw0xNjEyMDYwMjM2MDNaFw0xODEyMDcwMjM2MDNaMIHyMR0wGwYDVQQPDBRQcml2
YXRlIE9yZ2FuaXphdGlvbjESMBAGA1UEBRMJNjAwNDEzNDg1MRMwEQYLKwYBBAGC
NzwCAQMTAlVTMRswGQYLKwYBBAGCNzwCAQITCldhc2hpbmd0b24xCzAJBgNVBAYT
AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMRowGAYD
VQQJExFPbmUgTWljcm9zb2Z0IFdheTEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv
cmF0aW9uMRswGQYDVQQDExJvdXRsb29rLm9mZmljZS5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDVnsYR6WcdxylEo0L1UEVqeeYS2xq5nN+3Sv4O
n2/wuK4VJQoFFWEc2VFGFJM2SM33VY1If81eniLPwMtKXnqXnWsvNQuXcAQ8stGS
5z/kopuEMTIOnkO38GwSqh8IqjrZ62zcJamXQjYDTlLZ4WzffqzytvPqBJGyLv5t
riFrrUMi4ecnWwQZ5CWjbfLWl2VWU6UD29xHEOrkvmy7f95b/SNOQdEzkUdwki+1
41jOAIdFY1tEjpypqQaG7X00V/ho6Sf1rQ7awVncvPWAirkMpbLMF5zbDlJ8mypi
dAN4bkj0lbRS/Dtc8virI6Xz5bmhLmiU6mUJb66ANkORKhcfAgMBAAGjggUNMIIF
CTAOBgNVHQ8BAf8EBAMCBaAwgZYGCCsGAQUFBwEBBIGJMIGGMEcGCCsGAQUFBzAC
hjtodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2V4dGVuZHZh
bHNoYTJnM3IzLmNydDA7BggrBgEFBQcwAYYvaHR0cDovL29jc3AyLmdsb2JhbHNp
Z24uY29tL2dzZXh0ZW5kdmFsc2hhMmczcjMwVQYDVR0gBE4wTDBBBgkrBgEEAaAy
AQEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVw
b3NpdG9yeS8wBwYFZ4EMAQEwCQYDVR0TBAIwADBFBgNVHR8EPjA8MDqgOKA2hjRo
dHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2dzL2dzZXh0ZW5kdmFsc2hhMmczcjMu
Y3JsMIIBWwYDVR0RBIIBUjCCAU6CEm91dGxvb2sub2ZmaWNlLmNvbYIdYXR0YWNo
bWVudC5vdXRsb29rLm9mZmljZS5uZXSCIGF0dGFjaG1lbnQub3V0bG9vay5vZmZp
Y2VwcGUubmV0ghNib29raW5ncy5vZmZpY2UuY29tghBkZWx2ZS5vZmZpY2UuY29t
ghplZGdlLm91dGxvb2sub2ZmaWNlMzY1LmNvbYITZWRnZXNkZi5vdXRsb29rLmNv
bYIUaW1nLmRlbHZlLm9mZmljZS5jb22CEG91dGxvb2subGl2ZS5jb22CFG91dGxv
b2stc2RmLmxpdmUuY29tghZvdXRsb29rLXNkZi5vZmZpY2UuY29tghlzZGZlZGdl
LXBpbG90Lm91dGxvb2suY29tghRzdWJzdHJhdGUub2ZmaWNlLmNvbYIYc3Vic3Ry
YXRlLXNkZi5vZmZpY2UuY29tMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAdBgNVHQ4EFgQUibOk+gAchhr2nt4S9i98CEWHn1wwHwYDVR0jBBgwFoAU3bPn
bagu6MVObs905nU8lBXO6B0wggH1BgorBgEEAdZ5AgQCBIIB5QSCAeEB3wB2AFYU
Bpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABWNH89NwAAAQDAEcwRQIg
c2xmavLASvF01Rk/m65LSciIcOY6J+KACjNMdtdy5T8CIQDH00c7toH1hlf/O2Ch
Mpkqc8R8+148zM3eHnxbJDVuvgB1AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0R
xM227L7MAAABWNH89RMAAAQDAEYwRAIgMoYZN4aCL+WrxJytfbkq4RmUz6+XRkip
uwtazqq2oeUCIEOMlpxrlFFOqW4Z82dklwAsUUicxawPknzF8GVUYY2nAHcApLkJ
kLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFY0fz1ZQAABAMASDBGAiEA
qKur7IwFsXDe05VcuCCY6zpz9bZ97sYOKpKMlqVI+nwCIQCsotCnRYQGDGFb6Vv8
ZLt0vPW0jwZKR53AR0Ad4jHIPwB1AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDE
e4l6qP3LAAABWNH8+FUAAAQDAEYwRAIgGUg1g86hjhR9AnAnB6E74NGEZFj6/ysU
SEPxzYN+/90CIEFt0FtFNkkyvH5aXtmNQDmL5uNv3oNBSxqFJxDvCgB6MA0GCSqG
SIb3DQEBCwUAA4IBAQCVGd5jEsBFjzgklgp5r8LW/BupR/4OBuSlqO8gDSxnYLv5
wwlDtACDlJfAXnk+RDZyWs8i55Jgr37TfWE/qjcY7O4jVAA+3B6tmvHrB2w6/jgW
z8Wt4CcAyFQ1gq7r/3AqlwZ3tnX144m6j7XdM1UAlaJo+By0NnEHvYW9Ea2k/PcL
v371xR8a8/vPQUKmTCe6WgRIqANgjpbQ7OVXPyeLMaZR49HMwuM1la7Dip4PoGa2
yvhni02zjNHja5wz8H/d00RTrgtWjUAkeHUBpSmxY7/NAYO6d/6pRLKPejpi0iCM
fmRXlAfkJppOV2KntKizbSH22aib75Ca9uN3L+5K
-----END CERTIFICATE-----

Certificate 2:

-----BEGIN CERTIFICATE-----
MIIJYDCCCEigAwIBAgIMT+yR4vShGFqnC1XXMA0GCSqGSIb3DQEBCwUAMGIxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTgwNgYDVQQDEy9H
bG9iYWxTaWduIEV4dGVuZGVkIFZhbGlkYXRpb24gQ0EgLSBTSEEyNTYgLSBHMjAe
Fw0xNjEwMjgyMzA2MDRaFw0xODEwMjkyMzA2MDRaMIHyMR0wGwYDVQQPDBRQcml2
YXRlIE9yZ2FuaXphdGlvbjESMBAGA1UEBRMJNjAwNDEzNDg1MRMwEQYLKwYBBAGC
NzwCAQMTAlVTMRswGQYLKwYBBAGCNzwCAQITCldhc2hpbmd0b24xCzAJBgNVBAYT
AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMRowGAYD
VQQJExFPbmUgTWljcm9zb2Z0IFdheTEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv
cmF0aW9uMRswGQYDVQQDExJvdXRsb29rLm9mZmljZS5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDBfPHSq3y7bJcHHF9uruj49I10JlRmvv7tJ39O
P6F2SWf6fLGNpZ1lRNArUq7f1gIZe6l7wSDILXTpiurTTw1tbxQAYvRM217b3wyg
U+56O+ra5L7wQP3ZmwC79sEgQ5H0kt31tNj1HVIhoabbYAPW+fiZlHQKx/2bhbs1
DnBAFDiPlvfq7VbHNgXguUHJNw6oUsWBEL4w3JEBfOmVInXYPPO4VOzpR0eQyvCi
ku3/KF0e9Ki8sZ4AVakvtTkdrxzzRycLiNBVl8NdoZSN4VH2me8Z6e34lY4TvWQ5
buSCaXkNVer2F2C4ajkrgDamA9uD106FGKBV6FHQb01L1FGzAgMBAAGjggWDMIIF
fzAOBgNVHQ8BAf8EBAMCBaAwgZQGCCsGAQUFBwEBBIGHMIGEMEcGCCsGAQUFBzAC
hjtodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2V4dGVuZHZh
bHNoYTJnMnIyLmNydDA5BggrBgEFBQcwAYYtaHR0cDovL29jc3AyLmdsb2JhbHNp
Z24uY29tL2dzZXh0ZW5kdmFsc2hhMmcyMFUGA1UdIAROMEwwQQYJKwYBBAGgMgEB
MDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9z
aXRvcnkvMAcGBWeBDAEBMAkGA1UdEwQCMAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0
cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc2V4dGVuZHZhbHNoYTJnMi5jcmww
ggFbBgNVHREEggFSMIIBToISb3V0bG9vay5vZmZpY2UuY29tgh1hdHRhY2htZW50
Lm91dGxvb2sub2ZmaWNlLm5ldIIgYXR0YWNobWVudC5vdXRsb29rLm9mZmljZXBw
ZS5uZXSCE2Jvb2tpbmdzLm9mZmljZS5jb22CEGRlbHZlLm9mZmljZS5jb22CGmVk
Z2Uub3V0bG9vay5vZmZpY2UzNjUuY29tghNlZGdlc2RmLm91dGxvb2suY29tghRp
bWcuZGVsdmUub2ZmaWNlLmNvbYIQb3V0bG9vay5saXZlLmNvbYIUb3V0bG9vay1z
ZGYubGl2ZS5jb22CFm91dGxvb2stc2RmLm9mZmljZS5jb22CGXNkZmVkZ2UtcGls
b3Qub3V0bG9vay5jb22CFHN1YnN0cmF0ZS5vZmZpY2UuY29tghhzdWJzdHJhdGUt
c2RmLm9mZmljZS5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0G
A1UdDgQWBBQcjai1D1kq/Kpr0etENcaIlyZyDjAfBgNVHSMEGDAWgBTaQHdDZRz4
/qfj9GSCPk1DEyIxAjCCAm8GCisGAQQB1nkCBAIEggJfBIICWwJZAHYA3esdK3oN
T6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvswAAAFYDYsKUAAABAMARzBFAiA0dpz9
/USCUwZYcVs/5cg2XtaM1sHT4abxspmWJYwQGAIhAN1UMBQq5dUckVIiXPDg2r3d
DJ+4ymN9McMwqnXbRN7AAHYAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ
0N0AAAFYDYsNDAAABAMARzBFAiEA1K8NwMXm69ZOoKC+ZgABJBRwIPxiru/lnD7R
LNGLblACIFcymoibokPDmtRuzUwG0SZlBxOWqErc7E3b7WxOAlkcAHcApLkJkLQY
WBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFYDYsNPwAABAMASDBGAiEA+8Va
RaGmQOzcNxJyaeJi7XZlMPbQDn5Hb0zJM76xYRkCIQDefPooWs96Ycr6yItrYvjk
E1SHjaM1euhsby8uv5JT5gB2AGj2mPgfZIK+OozuuSgdTPxxUV1nk9RE0QpnrLtP
T/vEAAABWA2LDVYAAAQDAEcwRQIgX+AY+jEcDLphce0NjiCR4jpi5qzwf1XvXV8b
/wP2OzUCIQCL/Eu8vxu2+loN2l8C4ydaiLC6J/hCTgLRFnv8MH823QB2AO5Lvbd1
zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABWA2LEDkAAAQDAEcwRQIhAO05
9svhj0nRNzwswJ/9UEUNUqNXYhCJojGFh7h4JKeUAiAiULtvav/AoAa6pnDM3wby
oNRvaBVRcRwojzIISMPUxDANBgkqhkiG9w0BAQsFAAOCAQEANVCHwL2PYMbJdZ+U
IM3gK5qj725uM8n6VjP9dnNBnPte898HZ1X83KZAPVQV5hhlqy8AwPfSHaBqaK7c
QDZkfy7WuLvdkOWWNssUNQLq+RvZi7XqOVzZ6Wx+DppNFNVweppkWBg3/JIPSjWk
lQp09PeKeq5GqBDw7A3BldV8Z3qu6kaoMl6EcZiP4jS0TKaHnYgbtSqZld1Karxq
Js5O52Zehxsj0kputYoo/E2RcWtv3lVqptWc19RHU9127Iq7CLPZSLY1qyzK2mxa
fKOdDzH9/S7aiMCAfCbPDokxjK138D4qbAAfIvo6bpKX9vZy2XGFHHGRizRUA4sY
ctSOUA==
-----END CERTIFICATE-----

Any idea on why this is happening?  Maybe a couple servers in the farm not updated with the proper SSL certificates?  I would assume they should be the SAME across all servers in the farm.

If not, and it's fine having more than 1 for each server, how can I find a list of the Certificates used so I can export all the CAs that would be possibly used and have my customers import them so they quit getting random Not Trusted errors?

Thanks!

3 people had this question

Abuse history


progress