[Dovecot] TLS/SSL for Win8 & Outlook

Robert Schetterer rs at sys4.de
Thu Jun 26 15:13:20 UTC 2014 

Am 26.06.2014 11:53, schrieb Adi Kriegisch:
> On Wed, May 21, 2014 at 09:14:26PM +0200, Robert Schetterer wrote:
>> Am 21.05.2014 19:47, schrieb Sebastian Goodrick:
>>> I just installed the (rapid-ssl) certificate and it works now.
>>> Needless to say that I don't understand it. The old certificate worked
>>> with all other clients but win8/outlook, plus the old dovecot install
>>> worked with win8/outlook as well.
> I am struggling with the same issue for some time now: win8/outlook isn't
> able to connect to dovecot 2.2.9 (from Debian/backports); the error on the
> outlook side of things is 0x800CCC0E which is really helpful.

read again orig thread, i ve tested brand new win 8.1 outlook 2013
install all latest patchlevel with dovecot 2.2.13 tls, no problem, the
orig problem had gone using another crt from rapid-ssl by unknown
reason, needless to say that there may tons of other reasons
why it fails at your site, however im nearly sure tha tthere is no
default bug in dovecot

> 
> The suggestion to disable TLSv1.2 on the windows side is dangerous:
> win8/8.1 requires TLSv1.2 for downloading updates -- no TLSv1.2, no
> updates. If absolutely necessary, disable TLSv1.2 on the dovecot side of
> things!
> 
> I decided to do some additional debugging by running 'openssl s_server' on
> the imap server with the very same certificates and settings (as far as it
> is possible with s_server) on a different port, changed the port in outlook
> and manually proxied the imap requests through: That way outlook works just
> fine:
> 
> openssl s_server -tls1_2 -accept 8993 -cert /etc/dovecot/my.crt \
>     -key /etc/dovecot/private/my.key -serverpref -cipher '...(*)' \
>     -dhparam /root/group16.pem
> 
> (group16.pem contains 4096bit DH params that are standardized; on the
> dovecot side, the dhparam length is set to 4096bit as well)
> 
> The very same thing happens with two different classes of ciphers:
> ECDHE-RSA-AES256-SHA (which is what win8/outlook used to use before the
> last update) and with DHE-RSA-AES256-GCM-SHA384 (which was just recently
> added by the last update by Microsoft). So neither EC nor DHE cause any
> changes in the behavior (as I was suspecting dovecot's dh params for some
> time).
> 
> I think something in the handshake doesn't work the way it should and
> causes ms crypto api (v6.3 and v6.2) to just close the connection after
> handshake (a paket capture just shows the client sends a RST after key
> exchange).
> 
> 
>> there where some bugfixes with certificates ( windows )
>> but that should not impact brand new installs with full recent patch level
> AFAIK new (pretty cool) ciphers were introduced and I don't see how the
> issue can be solved by changing the certificate: I used a cert from CACert
> and a Cert signed by my own CA -- both resulting in a non-working
> connection between dovecot and outlook on win8(.1).
> However using the very same certificate with OpenSSL's s_server, the
> connection worked just fine (as did disabling TLSv1.2) -- both indicators
> that the certificates are just fine.
> 
> The only thing I can imagine that EC and DHE have in common are some SSL
> extensions like session tickets (which outlook tried to use). Here are the
> details of the session outlook established with s_server:
> openssl sess_id -text -in param
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : C014             ## this is ECDHE-RSA-AES256-SHA
> or: 
>     Cipher    : 009F             ## this is with DHE-RSA-AES256-GCM-SHA384
>     Session-ID:
>     Session-ID-ctx: 01000000
>     Master-Key: (...)
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1403774959
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
> 
> I hope someone can help me/us out here!
> 
> Thanks!
> 
> -- Adi
> 
> (*) see https://bettercrypto.org for a usable cipher string...
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the dovecot mailing list