On Thu, 26 Jun 2014 11:53:49 +0200, Adi Kriegisch stated: > On Wed, May 21, 2014 at 09:14:26PM +0200, Robert Schetterer wrote: > > Am 21.05.2014 19:47, schrieb Sebastian Goodrick: > > > I just installed the (rapid-ssl) certificate and it works now. > > > Needless to say that I don't understand it. The old certificate worked > > > with all other clients but win8/outlook, plus the old dovecot install > > > worked with win8/outlook as well. > I am struggling with the same issue for some time now: win8/outlook isn't > able to connect to dovecot 2.2.9 (from Debian/backports); the error on the > outlook side of things is 0x800CCC0E which is really helpful. > > The suggestion to disable TLSv1.2 on the windows side is dangerous: > win8/8.1 requires TLSv1.2 for downloading updates -- no TLSv1.2, no > updates. If absolutely necessary, disable TLSv1.2 on the dovecot side of > things! > > I decided to do some additional debugging by running 'openssl s_server' on > the imap server with the very same certificates and settings (as far as it > is possible with s_server) on a different port, changed the port in outlook > and manually proxied the imap requests through: That way outlook works just > fine: > > openssl s_server -tls1_2 -accept 8993 -cert /etc/dovecot/my.crt \ > -key /etc/dovecot/private/my.key -serverpref -cipher '...(*)' \ > -dhparam /root/group16.pem > > (group16.pem contains 4096bit DH params that are standardized; on the > dovecot side, the dhparam length is set to 4096bit as well) > > The very same thing happens with two different classes of ciphers: > ECDHE-RSA-AES256-SHA (which is what win8/outlook used to use before the > last update) and with DHE-RSA-AES256-GCM-SHA384 (which was just recently > added by the last update by Microsoft). So neither EC nor DHE cause any > changes in the behavior (as I was suspecting dovecot's dh params for some > time). > > I think something in the handshake doesn't work the way it should and > causes ms crypto api (v6.3 and v6.2) to just close the connection after > handshake (a paket capture just shows the client sends a RST after key > exchange). > > > > there where some bugfixes with certificates ( windows ) > > but that should not impact brand new installs with full recent patch level > AFAIK new (pretty cool) ciphers were introduced and I don't see how the > issue can be solved by changing the certificate: I used a cert from CACert > and a Cert signed by my own CA -- both resulting in a non-working > connection between dovecot and outlook on win8(.1). > However using the very same certificate with OpenSSL's s_server, the > connection worked just fine (as did disabling TLSv1.2) -- both indicators > that the certificates are just fine. > > The only thing I can imagine that EC and DHE have in common are some SSL > extensions like session tickets (which outlook tried to use). Here are the > details of the session outlook established with s_server: > openssl sess_id -text -in param > SSL-Session: > Protocol : TLSv1.2 > Cipher : C014 ## this is ECDHE-RSA-AES256-SHA > or: > Cipher : 009F ## this is with DHE-RSA-AES256-GCM-SHA384 > Session-ID: > Session-ID-ctx: 01000000 > Master-Key: (...) > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1403774959 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > > I hope someone can help me/us out here! > > Thanks! > > -- Adi > > (*) see https://bettercrypto.org for a usable cipher string...
I did some checking on MS forums for this problem. SMTP, Port: 25, Secure(SSL): No, Socket Error: 10060, Error Number: 0x800CCC0E According to many of the posters, the problem is often causes by the AV program blocking or messing with port 25. What version of Outlook are you using anyway? -- Jerry