it really looks like Evolution is letting the factory defaults for NSS take over -- which means that, although permitted, most of the high-end encryption suites are not enabled.
I am assuming the ubuntu release of Evolution is using libnss (at least this is what is marked). I have not looked at Evolution with OpenSSL.
In camel.c @ camel_init(), Evolution sets up the use of domestic encryption via a call to NSS_SetDomesticPolicy(), but does not set up the (by default) not enabled ciphersuites, which the Mozilla documentation state as required. This would require calls to SSL_CipherPrefSetDefault() globally, or SSL_CipherPrefSet() on each socket. I cannot find any such calls in the code.
So... it looks that Evolution does need a patch in order to allow high-end ciphersuites to be used. It is missing the necessary setup.
it really looks like Evolution is letting the factory defaults for NSS take over -- which means that, although permitted, most of the high-end encryption suites are not enabled.
I am assuming the ubuntu release of Evolution is using libnss (at least this is what is marked). I have not looked at Evolution with OpenSSL.
In camel.c @ camel_init(), Evolution sets up the use of domestic encryption via a call to NSS_SetDomestic Policy( ), but does not set up the (by default) not enabled ciphersuites, which the Mozilla documentation state as required. This would require calls to SSL_CipherPrefS etDefault( ) globally, or SSL_CipherPrefSet() on each socket. I cannot find any such calls in the code.
So... it looks that Evolution does need a patch in order to allow high-end ciphersuites to be used. It is missing the necessary setup.
c.f. http:// www.mozilla. org/projects/ security/ pki/nss/ ref/ssl/ sslfnc. html#1214758
Of course, I may be completely wrong, but I do not think so.