Yes, I fully agree on waiting for upstream comments -- they will know much more than I do about Evolution.
Meanwhile, I tested my patch here, and sniffed some traffic to GMail. As I expected, Evolution is now sending out a SSL Client Hello with all ciphersuites enabled:
But... a bit to my surprise, gmail still selected the same ciphersuite as before the patch -- TLS_RSA_WITH_RC4_128_MD5. This is not actually unexpected, and was one of the reasons I stated earlier that I would like to be able to select the ciphersuites to be tried on the SSL/TLS session.
Fridtjof -- One thing to be kept in mind is that it is the server that will select a ciphersuite (from the set of common suites). Offering more options will not necessarily result in stronger ciphers being selected by the server. In other words, your mileage may vary among your email servers.
Yes, I fully agree on waiting for upstream comments -- they will know much more than I do about Evolution.
Meanwhile, I tested my patch here, and sniffed some traffic to GMail. As I expected, Evolution is now sending out a SSL Client Hello with all ciphersuites enabled:
(cut off wireshark's output)
Secure Socket Layer 128_WITH_ MD5 (0x010080) CBC_128_ CBC_WITH_ MD5 (0x030080) 192_EDE3_ CBC_WITH_ MD5 (0x0700c0) 64_CBC_ WITH_MD5 (0x060040) 128_EXPORT40_ WITH_MD5 (0x020080) CBC_128_ CBC_WITH_ MD5 (0x040080) RSA_WITH_ AES_256_ CBC_SHA (0x000039) DSS_WITH_ AES_256_ CBC_SHA (0x000038) WITH_AES_ 256_CBC_ SHA (0x000035) DSS_WITH_ RC4_128_ SHA (0x000066) RSA_WITH_ AES_128_ CBC_SHA (0x000033) DSS_WITH_ AES_128_ CBC_SHA (0x000032) WITH_RC4_ 128_MD5 (0x000004) WITH_RC4_ 128_SHA (0x000005) WITH_AES_ 128_CBC_ SHA (0x00002f) RSA_WITH_ 3DES_EDE_ CBC_SHA (0x000016) DSS_WITH_ 3DES_EDE_ CBC_SHA (0x000013) FIPS_WITH_ 3DES_EDE_ CBC_SHA (0x00feff) WITH_3DES_ EDE_CBC_ SHA (0x00000a) RSA_WITH_ DES_CBC_ SHA (0x000015) DSS_WITH_ DES_CBC_ SHA (0x000012) FIPS_WITH_ DES_CBC_ SHA (0x00fefe) WITH_DES_ CBC_SHA (0x000009) EXPORT1024_ WITH_RC4_ 56_SHA (0x000064) EXPORT1024_ WITH_DES_ CBC_SHA (0x000062) EXPORT_ WITH_RC4_ 40_MD5 (0x000003) EXPORT_ WITH_RC2_ CBC_40_ MD5 (0x000006) WITH_NULL_ SHA (0x000002) WITH_NULL_ MD5 (0x000001)
SSLv2 Record Layer: Client Hello
Length: 112
Handshake Message Type: Client Hello (1)
Version: SSL 3.0 (0x0300)
Cipher Spec Length: 87
Session ID Length: 0
Challenge Length: 16
Cipher Specs (29 specs)
Cipher Spec: SSL2_RC4_
Cipher Spec: SSL2_RC2_
Cipher Spec: SSL2_DES_
Cipher Spec: SSL2_DES_
Cipher Spec: SSL2_RC4_
Cipher Spec: SSL2_RC2_
Cipher Spec: TLS_DHE_
Cipher Spec: TLS_DHE_
Cipher Spec: TLS_RSA_
Cipher Spec: TLS_DHE_
Cipher Spec: TLS_DHE_
Cipher Spec: TLS_DHE_
Cipher Spec: TLS_RSA_
Cipher Spec: TLS_RSA_
Cipher Spec: TLS_RSA_
Cipher Spec: TLS_DHE_
Cipher Spec: TLS_DHE_
Cipher Spec: SSL_RSA_
Cipher Spec: TLS_RSA_
Cipher Spec: TLS_DHE_
Cipher Spec: TLS_DHE_
Cipher Spec: SSL_RSA_
Cipher Spec: TLS_RSA_
Cipher Spec: TLS_RSA_
Cipher Spec: TLS_RSA_
Cipher Spec: TLS_RSA_
Cipher Spec: TLS_RSA_
Cipher Spec: TLS_RSA_
Cipher Spec: TLS_RSA_
Challenge
So it is working.
But... a bit to my surprise, gmail still selected the same ciphersuite as before the patch -- TLS_RSA_ WITH_RC4_ 128_MD5. This is not actually unexpected, and was one of the reasons I stated earlier that I would like to be able to select the ciphersuites to be tried on the SSL/TLS session.
Fridtjof -- One thing to be kept in mind is that it is the server that will select a ciphersuite (from the set of common suites). Offering more options will not necessarily result in stronger ciphers being selected by the server. In other words, your mileage may vary among your email servers.