diff --git a/src/NzbDrone.Common/Http/Dispatchers/ManagedHttpDispatcher.cs b/src/NzbDrone.Common/Http/Dispatchers/ManagedHttpDispatcher.cs
index 4cd2a73bc..6fdef87c1 100644
--- a/src/NzbDrone.Common/Http/Dispatchers/ManagedHttpDispatcher.cs
+++ b/src/NzbDrone.Common/Http/Dispatchers/ManagedHttpDispatcher.cs
@@ -1,7 +1,9 @@
 using System;
 using System.Net;
+using NzbDrone.Common.EnvironmentInfo;
 using NzbDrone.Common.Extensions;
 using NzbDrone.Common.Http.Proxy;
+using NzbDrone.Common.Security;
 
 namespace NzbDrone.Common.Http.Dispatchers
 {
@@ -60,6 +62,11 @@ namespace NzbDrone.Common.Http.Dispatchers
             }
             catch (WebException e)
             {
+                if (e.Status == WebExceptionStatus.SecureChannelFailure && OsInfo.IsWindows)
+                {
+                    SecurityProtocolPolicy.DisableTls12();
+                }
+
                 httpWebResponse = (HttpWebResponse)e.Response;
 
                 if (httpWebResponse == null)
@@ -89,7 +96,7 @@ namespace NzbDrone.Common.Http.Dispatchers
                 webRequest.Proxy = _createManagedWebProxy.GetWebProxy(proxySettings);
             }
         }
-        
+
         protected virtual void AddRequestHeaders(HttpWebRequest webRequest, HttpHeader headers)
         {
             foreach (var header in headers)
diff --git a/src/NzbDrone.Common/Security/SecurityProtocolPolicy.cs b/src/NzbDrone.Common/Security/SecurityProtocolPolicy.cs
index c08acd6a5..03fcb97d2 100644
--- a/src/NzbDrone.Common/Security/SecurityProtocolPolicy.cs
+++ b/src/NzbDrone.Common/Security/SecurityProtocolPolicy.cs
@@ -24,6 +24,7 @@ namespace NzbDrone.Common.Security
                     protocol |= Tls11;
                 }
 
+                // Enabling Tls1.2 invalidates certificates using md5, so we disable Tls12 on the fly if that happens.
                 if (Enum.IsDefined(typeof(SecurityProtocolType), Tls12))
                 {
                     protocol |= Tls12;
@@ -36,5 +37,23 @@ namespace NzbDrone.Common.Security
                 Logger.Debug(ex, "Failed to set TLS security protocol.");
             }
         }
+
+        public static void DisableTls12()
+        {
+            try
+            {
+                var protocol = ServicePointManager.SecurityProtocol;
+                if (protocol.HasFlag(Tls12))
+                {
+                    Logger.Warn("Disabled Tls1.2 due to remote certificate error.");
+
+                    ServicePointManager.SecurityProtocol = protocol & ~Tls12;
+                }
+            }
+            catch (Exception ex)
+            {
+                Logger.Debug(ex, "Failed to disable TLS 1.2 security protocol.");
+            }
+        }
     }
 }
diff --git a/src/NzbDrone.Common/Security/X509CertificateValidationPolicy.cs b/src/NzbDrone.Common/Security/X509CertificateValidationPolicy.cs
index bbeacef3d..1ef25694e 100644
--- a/src/NzbDrone.Common/Security/X509CertificateValidationPolicy.cs
+++ b/src/NzbDrone.Common/Security/X509CertificateValidationPolicy.cs
@@ -24,6 +24,13 @@ namespace NzbDrone.Common.Security
                 return true;
             }
 
+            var req = sender as HttpWebRequest;
+            var cert2 = certificate as X509Certificate2;
+            if (cert2 != null && req != null && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
+            {
+                Logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", req.RequestUri.Authority);
+            }
+
             if (sslPolicyErrors == SslPolicyErrors.None)
             {
                 return true;
@@ -34,4 +41,4 @@ namespace NzbDrone.Common.Security
             return true;
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/NzbDrone.Host/Bootstrap.cs b/src/NzbDrone.Host/Bootstrap.cs
index 0422665ad..24a151eeb 100644
--- a/src/NzbDrone.Host/Bootstrap.cs
+++ b/src/NzbDrone.Host/Bootstrap.cs
@@ -21,8 +21,8 @@ namespace NzbDrone.Host
         {
             try
             {
-                X509CertificateValidationPolicy.Register();
                 SecurityProtocolPolicy.Register();
+                X509CertificateValidationPolicy.Register();
 
                 Logger.Info("Starting Sonarr - {0} - Version {1}", Assembly.GetCallingAssembly().Location, Assembly.GetExecutingAssembly().GetName().Version);
 
@@ -144,4 +144,4 @@ namespace NzbDrone.Host
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/NzbDrone.Update/UpdateApp.cs b/src/NzbDrone.Update/UpdateApp.cs
index ca3542838..bad208032 100644
--- a/src/NzbDrone.Update/UpdateApp.cs
+++ b/src/NzbDrone.Update/UpdateApp.cs
@@ -30,14 +30,14 @@ namespace NzbDrone.Update
         {
             try
             {
+                SecurityProtocolPolicy.Register();
+                X509CertificateValidationPolicy.Register();
+
                 var startupArgument = new StartupContext(args);
                 NzbDroneLogger.Register(startupArgument, true, true);
 
                 Logger.Info("Starting Sonarr Update Client");
 
-                X509CertificateValidationPolicy.Register();
-                SecurityProtocolPolicy.Register();
-
                 _container = UpdateContainerBuilder.Build(startupArgument);
 
                 _container.Resolve<UpdateApp>().Start(args);