Re: [Evolution] TLSv1+ support

[Ángel González <angel 16bits net>]

On Nik Mitev wrote:
> Hi,
>
> I am using Evolution v 3.10.4, as distributed with Ubuntu 14.04
> After the recent SSLv3 vulnerabilities I disabled SSLv3 support on my
> dovecot server, leaving TLS1, 1.1 and 1.2
> This broke connectivity and evolution now complains that
> "no common encryption algorithms exist".

Are you sure you correctly disabled it?
OpenSSL has a cipher parameter, which also accept protocols as an alias
for all ciphers from that version. Such setting looks like it's the way
to disable SSL3, but what it does is to disable all SSL3 ciphers. TLS1
doesn't add new ciphers, so a change like that ends up disabling TLS1,
too.
Any TLS1 connection to a system with such configuration will end up
failing with a "no shared ciphers" error.


> ssldump on the server shows that a SSLv3 hello is issued by Evolution.
> Since that is not supported, the connection dies without an attempt to
> use any of the newer protocols.

Which of the version fields are you looking at? You should inside the
Client Hello (bytes 10-11), NOT at the handshake (bytes 4-5).



> Is there a setting for it that I am missing? Can proper TLS support be
> manually compiled in? I would really hate to have to switch mail
> clients.

I would start checking that the server does support TLS1.


Best regards