[Bug 82515] Re: Evolution uses weak encryption for SSL/TLS

hggdh hggdh2 at gmail.com
Thu Feb 22 22:38:26 UTC 2007 

Yes, I fully agree on waiting for upstream comments -- they will know
much more than I do about Evolution.

Meanwhile, I tested my patch here, and sniffed some traffic to GMail. As
I expected, Evolution is now sending out a SSL Client Hello with all
ciphersuites enabled:

(cut off wireshark's output)

Secure Socket Layer
    SSLv2 Record Layer: Client Hello
        Length: 112
        Handshake Message Type: Client Hello (1)
        Version: SSL 3.0 (0x0300)
        Cipher Spec Length: 87
        Session ID Length: 0
        Challenge Length: 16
        Cipher Specs (29 specs)
            Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
            Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x030080)
            Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
            Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 (0x060040)
            Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)
            Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
            Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x000039)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038)
            Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
            Cipher Spec: TLS_DHE_DSS_WITH_RC4_128_SHA (0x000066)
            Cipher Spec: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x000033)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032)
            Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
            Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
            Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f)
            Cipher Spec: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x000016)
            Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
            Cipher Spec: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0x00feff)
            Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
            Cipher Spec: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x000015)
            Cipher Spec: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x000012)
            Cipher Spec: SSL_RSA_FIPS_WITH_DES_CBC_SHA (0x00fefe)
            Cipher Spec: TLS_RSA_WITH_DES_CBC_SHA (0x000009)
            Cipher Spec: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x000064)
            Cipher Spec: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x000062)
            Cipher Spec: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
            Cipher Spec: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
            Cipher Spec: TLS_RSA_WITH_NULL_SHA (0x000002)
            Cipher Spec: TLS_RSA_WITH_NULL_MD5 (0x000001)
        Challenge

So it is working.

But... a bit to my surprise, gmail still selected the same ciphersuite
as before the patch -- TLS_RSA_WITH_RC4_128_MD5. This is not actually
unexpected, and was one of the reasons I stated earlier that I would
like to be able to select the ciphersuites to be tried on the SSL/TLS
session.

Fridtjof  -- One thing to be kept in mind is that it is the server that
will select a ciphersuite (from the set of common suites). Offering more
options will not necessarily result in stronger ciphers being selected
by the server. In other words, your mileage may vary among your email
servers.

-- 
Evolution uses weak encryption for SSL/TLS
https://launchpad.net/bugs/82515

More information about the desktop-bugs mailing list