Security issues (ssl/tls) was: Anyone else seeing slow gmail

[Jack <ostroffjh users sourceforge net>]

On 2016.07.21 16:20, Albrecht Dreß wrote:
> Hi Jack:
>
> Am 21.07.16 22:02 schrieb(en) Jack:
> > Balsa 2.5.2, as built under Gentoo.  However, I have compiled from  
> > source before, and can easily do so again.  Oddly, my local git  
> > version claims to be many commits ahead, so I'm going to wipe it out  
> > and clone a new copy.
>
> 2.5.2 contains my patch, so the TLSv1.2 /should/ be used...
>
> > Openssl 1.0.2h, as build under Gentoo.  I do have the option of  
> > using libressl 2.4.1 if it would be any better.  I also see openssl  
> > was explicitly compiled with sslv3.
>
> OpenSSL 1.0.2 for sure will support TLSv1.2.  The fact that SSLv3 is  
> still included (for some legacy apps, probably) doesn't do any harm.   
> You can give LibreSSL a try, but it shouldn't make any difference.

Is there any (reasonably easy) way to determine which version is  
actually being used?  I've tried balsa -d with debug checked in the  
config page, but don't see anything useful.  In the popfile log, I see  
"pop3: 529: Attempting to connect to SSL server at pop.gmail.com:995"  
but a few lines later I see "auth plaintext".  I suppose next I'll  
start digging into the ssl config itself to see what logging it does.   
I really don't want to have to resort to setting up wireshark, but I  
suppose it's an option to be certain.
> > I have libesmtp 1.0.6.
>
> Here we are lost, as there have been no changes (including no  
> security fixes) since ages...
>
> Please remember that I might be totally wrong looking at possible TLS  
> issues... :-/
>
> Cheers,
> Albrecht.