Ubuntu
evolution package

Bug #82515
Comment #8

Comment 8 for bug 82515

Revision history for this message

C de-Avillez (hggdh2) wrote on 2007-02-22:

Yes, I fully agree on waiting for upstream comments -- they will know much more than I do about Evolution.

Meanwhile, I tested my patch here, and sniffed some traffic to GMail. As I expected, Evolution is now sending out a SSL Client Hello with all ciphersuites enabled:

(cut off wireshark's output)

Secure Socket Layer
    SSLv2 Record Layer: Client Hello
        Length: 112
        Handshake Message Type: Client Hello (1)
        Version: SSL 3.0 (0x0300)
        Cipher Spec Length: 87
        Session ID Length: 0
        Challenge Length: 16
        Cipher Specs (29 specs)
            Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
            Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x030080)
            Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
            Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 (0x060040)
            Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)
            Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
            Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x000039)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038)
            Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
            Cipher Spec: TLS_DHE_DSS_WITH_RC4_128_SHA (0x000066)
            Cipher Spec: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x000033)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032)
            Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
            Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
            Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f)
            Cipher Spec: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x000016)
            Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
            Cipher Spec: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0x00feff)
            Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
            Cipher Spec: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x000015)
            Cipher Spec: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x000012)
            Cipher Spec: SSL_RSA_FIPS_WITH_DES_CBC_SHA (0x00fefe)
            Cipher Spec: TLS_RSA_WITH_DES_CBC_SHA (0x000009)
            Cipher Spec: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x000064)
            Cipher Spec: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x000062)
            Cipher Spec: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
            Cipher Spec: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
            Cipher Spec: TLS_RSA_WITH_NULL_SHA (0x000002)
            Cipher Spec: TLS_RSA_WITH_NULL_MD5 (0x000001)
        Challenge

So it is working.

But... a bit to my surprise, gmail still selected the same ciphersuite as before the patch -- TLS_RSA_WITH_RC4_128_MD5. This is not actually unexpected, and was one of the reasons I stated earlier that I would like to be able to select the ciphersuites to be tried on the SSL/TLS session.

Fridtjof -- One thing to be kept in mind is that it is the server that will select a ciphersuite (from the set of common suites). Offering more options will not necessarily result in stronger ciphers being selected by the server. In other words, your mileage may vary among your email servers.