** Changed in: evolution
Importance: Unknown = Medium
--
Evolution uses weak encryption for SSL/TLS
https://bugs.launchpad.net/bugs/82515
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is a bug assignee.
--
desktop-bugs mailing list
the bug is fixed in gutsy
** Changed in: evolution (Ubuntu)
Status: Fix Committed = Fix Released
--
Evolution uses weak encryption for SSL/TLS
https://bugs.launchpad.net/bugs/82515
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is a bug
The bug has been fixed upstream applying the patch from hggdh.
--
Evolution uses weak encryption for SSL/TLS
https://bugs.launchpad.net/bugs/82515
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is a bug assignee.
--
desktop-bugs mailing list
** Changed in: evolution (upstream)
Status: In Progress = Fix Released
--
Evolution uses weak encryption for SSL/TLS
https://bugs.launchpad.net/bugs/82515
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is a bug assignee.
--
desktop-bugs mailing
** Changed in: evolution (Ubuntu)
Status: Confirmed = Fix Committed
--
Evolution uses weak encryption for SSL/TLS
https://bugs.launchpad.net/bugs/82515
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is a bug assignee.
--
desktop-bugs mailing
** Changed in: evolution (upstream)
Status: New = In Progress
--
Evolution uses weak encryption for SSL/TLS
https://bugs.launchpad.net/bugs/82515
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is a bug assignee.
--
desktop-bugs mailing list
proposed my patch upstream.
--
Evolution uses weak encryption for SSL/TLS
https://bugs.launchpad.net/bugs/82515
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is a bug assignee.
--
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
Well, no comment from upstream so far. I still consider this a security-
issue as evolution uses a quite weak cipher by default (I can live with
RC4-MD5 as fallback, but not as a default).
--
Evolution uses weak encryption for SSL/TLS
https://launchpad.net/bugs/82515
--
desktop-bugs mailing
@Fridtjorf:
I agree, this is, probably, a security concern. But there are some
mitigations: RC4-128 is not that weak at all, and there are other
safeguards that can be deployed -- like encrypting the e-mail before
sending. What I am trying to say is this is not a critical issue, and
there is
Yes, I fully agree on waiting for upstream comments -- they will know
much more than I do about Evolution.
Meanwhile, I tested my patch here, and sniffed some traffic to GMail. As
I expected, Evolution is now sending out a SSL Client Hello with all
ciphersuites enabled:
(cut off wireshark's
Thank you for your work on that. We will likely wait from upstream
comments about that before using the patch though
--
Evolution uses weak encryption for SSL/TLS
https://launchpad.net/bugs/82515
--
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
tentative patch below. All SSLV2 ciphersuites are enabled by default, so
I do not go on calling SSL_CipherPrefSetDefault() on them. For
simplicity, we could.
--- camel.c 2007-01-03 08:56:19.0 -0600
+++ camel.c.new 2007-02-05 17:19:20.0 -0600
@@ -90,6 +90,7 @@
#ifdef HAVE_NSS
** Changed in: evolution (upstream)
Status: Unknown = Unconfirmed
--
Evolution uses weak encryption for SSL/TLS
https://launchpad.net/bugs/82515
--
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
it really looks like Evolution is letting the factory defaults for NSS
take over -- which means that, although permitted, most of the high-end
encryption suites are not enabled.
I am assuming the ubuntu release of Evolution is using libnss (at least
this is what is marked). I have not looked at
Confirmed. Evolution does not even propose EAS as a valid ciphersuite
when connecting. The following is the output of a ssldump from a
Evolution connection to GMAIL at port 995:
3 1 0.1265 (0.1265) CS SSLv2 compatible client hello
Version 3.0
cipher suites
SSL2_CK_RC4
SSL2_CK_RC2
Thank you for your bug. No need to open upstream bug on launchpad, if
you do that though could you give a pointer to the upstream bug you
opened? The upstream bug for that one is
http://bugzilla.gnome.org/show_bug.cgi?id=402925
** Changed in: evolution (Ubuntu)
Importance: Undecided = Low
An additional comment on this: I would really like to be able to select
a series of ciphersuites to be used. I guess this would be an advanced
option, but would still allow me to at least to deselect those
ciphersuites I really do not want to use -- for example, the *EXPORT*
ones.
Of course,
Sorry for forgetting to add the upstream bugid.
As hggdh's ssldump shows, Evolution uses weak ciphers by it's own choice.
I guess the upstream-reply is going to be we do this for compatibility, but I
don't see a single cipher that could be considered strong. Neither Blowfish nor
Twofish or AES,
18 matches
Mail list logo
