[Dovecot] TLS/SSL for Win8 & Outlook

Adi Kriegisch adi at cg.tuwien.ac.at
Wed Jul 2 14:29:32 UTC 2014

On Thu, Jun 26, 2014 at 05:13:20PM +0200, Robert Schetterer wrote:
> Am 26.06.2014 11:53, schrieb Adi Kriegisch:
> > On Wed, May 21, 2014 at 09:14:26PM +0200, Robert Schetterer wrote:
> >> Am 21.05.2014 19:47, schrieb Sebastian Goodrick:
> >>> I just installed the (rapid-ssl) certificate and it works now.
> >>> Needless to say that I don't understand it. The old certificate worked
> >>> with all other clients but win8/outlook, plus the old dovecot install
> >>> worked with win8/outlook as well.
> > I am struggling with the same issue for some time now: win8/outlook isn't
> > able to connect to dovecot 2.2.9 (from Debian/backports); the error on the
> > outlook side of things is 0x800CCC0E which is really helpful.
> read again orig thread, i ve tested brand new win 8.1 outlook 2013
> install all latest patchlevel with dovecot 2.2.13 tls, no problem, the
> orig problem had gone using another crt from rapid-ssl by unknown
> reason, needless to say that there may tons of other reasons
> why it fails at your site, however im nearly sure tha tthere is no
> default bug in dovecot
Right. The "bug" is in Windows: SHA512 isn't configured as a valid hash for
a certificate (SHA256 and SHA384 are) and Windows is unable to provide a
reasonable error message. (**)
To solve this, adding "RSA/SHA512" to the following registry entry
solves the issue. (This affects CACert as well as their default signature
algorithm is SHA512 by now) Do not forget to reboot after adding this
registry entry.

-- Adi

(**) In Windows 8, certificate validation seems to behave quite different
     for TLSv1.2 than for older protocol incarnations. So there might be
     other pitfalls as well (like for example self signed certificates
     including the CA flag set to true will not be considered valid)...
PS: This hinted me in the right direction: http://www.michaelm.info/blog/?p=1273

More information about the dovecot mailing list