T
TobiasPl
Guest
I work in the IT department for an organization that uses PKI-issued certificates (backed by keychain to a root certificate) to digitally sign emails using Outlook 2019 and Exchange 2012. While trying to deploy signed S/MIME emails to more users within our organization, I noticed that despite the certificate supporting SHA2 up to 512bit, Outlook is only signing with SHA-1, which is insecure.
I tried changing the hash algorithm to SHA256 or higher in Outlook's Trust Center, but the changes don't stick - if I click OK on an affected computer and open up the dialog again, the setting for the hashing algorithm reverts to SHA-1. There's no error message - the value just doesn't change permanently.
Digging around, I noticed some clients exhibited this behavior, while others did not. After even more digging around, it turned out the factor that reliably produced this behavior was updating Office 2019 to the most current version, Build 10354.20022 (x86), on the Office2019VL Perpetual Channel.
PCs with unaffected Outlook clients ran
Could this possibly be a bug with Build 10354, or am I missing something?
If you need additional information, I'm more than happy to oblige!
Continue reading...
I tried changing the hash algorithm to SHA256 or higher in Outlook's Trust Center, but the changes don't stick - if I click OK on an affected computer and open up the dialog again, the setting for the hashing algorithm reverts to SHA-1. There's no error message - the value just doesn't change permanently.
Digging around, I noticed some clients exhibited this behavior, while others did not. After even more digging around, it turned out the factor that reliably produced this behavior was updating Office 2019 to the most current version, Build 10354.20022 (x86), on the Office2019VL Perpetual Channel.
PCs with unaffected Outlook clients ran
- Office 2010 x86 (on Windows 7, domain-joined and managed to thirdparty software)
- Office 2013 x86 (on Windows 8, domain-joined and manually managed by the user)
- Office 2016 x64 (on Windows 10, non-domain-joned)
- Office 2019 xBuild 10352.20042 (on Windows 10, non-domain-joned)
- Office 2019 x86 (Windows 10 Enterprise Build 18363.628, domain-joined, 3rd party managed, reinstalled with Office Build 10352.20042 after uninstalling Office Build 10354.20022 via the OffScrubc2r script)
- Office365 x64 on my personal laptop (Windows 10 Education Build 18363.628, Office 365 Build 12325.20344)
- PC No. 5 originally exhibited the behavior, after scrubbing and reinstalling with 10352, I could freely set the hashing algorithm. Updating the same install to 10354, I was locked into SHA-1 again.
- I tried similar on PC No. 3 - installing with 10352, everthing is still fine. I update to 10354, and again I'm locked into SHA-1.
Could this possibly be a bug with Build 10354, or am I missing something?
If you need additional information, I'm more than happy to oblige!
Continue reading...