On Thu, Jun 26, 2014 at 05:13:20PM +0200, Robert Schetterer wrote:
Am 26.06.2014 11:53, schrieb Adi Kriegisch:
On Wed, May 21, 2014 at 09:14:26PM +0200, Robert Schetterer wrote:
Am 21.05.2014 19:47, schrieb Sebastian Goodrick:
I just installed the (rapid-ssl) certificate and it works now. Needless to say that I don't understand it. The old certificate worked with all other clients but win8/outlook, plus the old dovecot install worked with win8/outlook as well. I am struggling with the same issue for some time now: win8/outlook isn't able to connect to dovecot 2.2.9 (from Debian/backports); the error on the outlook side of things is 0x800CCC0E which is really helpful.
read again orig thread, i ve tested brand new win 8.1 outlook 2013 install all latest patchlevel with dovecot 2.2.13 tls, no problem, the orig problem had gone using another crt from rapid-ssl by unknown reason, needless to say that there may tons of other reasons why it fails at your site, however im nearly sure tha tthere is no default bug in dovecot Right. The "bug" is in Windows: SHA512 isn't configured as a valid hash for a certificate (SHA256 and SHA384 are) and Windows is unable to provide a reasonable error message. (**) To solve this, adding "RSA/SHA512" to the following registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003\Functions solves the issue. (This affects CACert as well as their default signature algorithm is SHA512 by now) Do not forget to reboot after adding this registry entry.
-- Adi
(**) In Windows 8, certificate validation seems to behave quite different for TLSv1.2 than for older protocol incarnations. So there might be other pitfalls as well (like for example self signed certificates including the CA flag set to true will not be considered valid)... PS: This hinted me in the right direction: http://www.michaelm.info/blog/?p=1273