0

We have 1 Mac (osx 10.11.1) user running Outlook 2016, and he is trying to connect to our Exchange 2013 server (Version 15.0 Build 847.32). After creating the account in outlook a yellow dot remains next to the account.

To diagnose we have ensured that our root cert is added to the trusted certs in the system keychain on the Mac, and we have verified that the client can negotiate/accept the cert:

openssl s_client -CApath ~/myca.cer -connect www.example.com:443

We can browse to our our exchange's www.example.com/owa from the Mac and all works fine. But for some reason the Mac client will not create / verify the account. Is there a further diagnostics step we can do to help resolve this?

UPDATE: On the exchange server I see events 36874 and 36888 with text:

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

How can I ensure they negotiate a mutually acceptable cipher suite?

TSG
  • 1,634
  • 6
  • 29
  • 51

1 Answers1

0

After much research, the Mac cannot negotiate a cipher suite with the Windows server. The reason is that they are using TLS 1.2 and the cert is signed with 512 bit SHA. The Mac/Windows can't handle a cert signed with 512 bit SHA (over TLS1.2) so pair abort the handshake. Re-installing a 384 bit SHA signed cert on the Windows server allowed the Mac to connect.

The root cert can be SHA512 signed - just not the server's cert.

TSG
  • 1,634
  • 6
  • 29
  • 51