-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Javier wrote:

connect = pop3.live.com:995

<cut>

I attach both logs to compare, even don't tell too much. Until the connection "all" is the same except OpenSSL version.

It indeed seems to be caused by the OpenSSL version:

$ /usr/bin/openssl version OpenSSL 1.0.1k 8 Jan 2015

$ /usr/bin/openssl s_client -connect pop3.live.com:995 CONNECTED(00000003) depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - G2 verify error:num=20:unable to get local issuer certificate verify return:0 - --- Certificate chain 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=*.hotmail.com i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - - G2 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA - --- Server certificate - -----BEGIN CERTIFICATE----- MIIFQjCCBCqgAwIBAgISESHl0vjrML7zKmGlv42YL75vMA0GCSqGSIb3DQEBBQUA MF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTMwMQYD VQQDEypHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gRzIw HhcNMTMwNDI0MjAzNTA5WhcNMTYwNDI0MjAzNTA5WjBsMQswCQYDVQQGEwJVUzET MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV TWljcm9zb2Z0IENvcnBvcmF0aW9uMRYwFAYDVQQDDA0qLmhvdG1haWwuY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAumSiBWrzHZf6WFP5a/j4+K7D 1izLoYKj5Omll0pdxKvKcBRDf+iaIkCbSOPNpx2uWGZdwNwkabYCQavaBf2ebwmS S8i1CJpHflO+k0qYd5WUi7sSsZ3+6RaCMdLoDIPGyYMQuy7TFtVO7LSt5+qscyyi ET8c3lE2aj/XW13UZvRrV65ZJvMjUtwaDnIcAxGeasYoebLsKdqHQ2uTr4PmNwCc viGVFSOzkGAoC0PfyqKB2xUWy3Kc5zRI2xvUW8Jb2b/9Ze3g55pIUzKsjpglkQTm edVPSYYPGNz6Kl/ZshBXdBAk398q1JkSmUaTMa2hJgBbcC+73ax40AJDGJlz+QID AQABo4IB6zCCAecwDgYDVR0PAQH/BAQDAgWgMEkGA1UdIARCMEAwPgYGZ4EMAQIC MDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9z aXRvcnkvMEAGA1UdEQQ5MDeCDSouaG90bWFpbC5jb22CCioubGl2ZS5jb22CDSou b3V0bG9vay5jb22CC2hvdG1haWwuY29tMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYI KwYBBQUHAwEGCCsGAQUFBwMCMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwu Z2xvYmFsc2lnbi5jb20vZ3MvZ3Nvcmdhbml6YXRpb252YWxnMi5jcmwwgZYGCCsG AQUFBwEBBIGJMIGGMEcGCCsGAQUFBzAChjtodHRwOi8vc2VjdXJlLmdsb2JhbHNp Z24uY29tL2NhY2VydC9nc29yZ2FuaXphdGlvbnZhbGcyLmNydDA7BggrBgEFBQcw AYYvaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzb3JnYW5pemF0aW9udmFs ZzIwHQYDVR0OBBYEFHbgHqTLsXDt7uMRyE62rnDEfLn9MB8GA1UdIwQYMBaAFF1G so3ES3Qcu+31c7Y6tziPdZ5+MA0GCSqGSIb3DQEBBQUAA4IBAQByy1+3N6ZRVooI xqw8Ng+UFz0g7UHkbPEnvTu1uxJ2AojFuP/P1PAk+/6uMRvpPlWg/5uqmOIWxKxJ Lo6xSbkDf4LN+KYwes3XSuPyziZ4QbPnehHhZ0377iiA8fpRJADg9NWKCRHh5aAd e9QvJUW/GgYkBN+F4yYc2jIjR3Rehv4JYOKS3iXO9OoHsDS2CcCFaS2imgQVfYLg slBwT/A08PCOhW5huiluSmih7x5Qf7sFDv8jineu6ehKzi8pKnOq4k8G4QiWn38Y CeiBkkwFOwj7T3M/ITiiSS9DHDGeokj16eBi83Zx3YYiJ9YZvnQ+4GvqJ5eJJ6pR KKvemr+m - -----END CERTIFICATE----- subject=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=*.hotmail.com issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2 - --- No client certificate CA names sent - --- SSL handshake has read 2656 bytes and written 615 bytes - --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 5B1C000024A49549D3FC25B82623E52CFD62A118EA36198E88369773F5E9EA53 Session-ID-ctx: Master-Key: EA7B5AFEA681E4599551C67F7777F519123B714585F1948B498D0ADD4412CD023A91BD5947C41B177A31D4A420E495E9 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1426106767 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) - --- +OK BLU0-POP741 POP3 server ready ^C

$ /usr/local/ssl/bin/openssl version OpenSSL 1.0.2 22 Jan 2015

$ /usr/local/ssl/bin/openssl s_client -connect pop3.live.com:995 CONNECTED(00000003) 140039514363536:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: - --- no peer certificate available - --- No client certificate CA names sent - --- SSL handshake has read 0 bytes and written 361 bytes - --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated - ---

I found two workarounds:

1. Force TLSv1 handshake: sslVersion = TLSv1

2. Enable FIPS mode: fips = yes

Mike