Author Topic: Option to force encryption protocol (SSL/TLS) version  (Read 6772 times)

schlimmchen

  • Newbie
  • *
  • Posts: 2
Option to force encryption protocol (SSL/TLS) version
« on: November 14, 2013, 04:58:58 pm »
I use the Pro version and I am very happy with Aquamail.

However, since Cyanogenmod adjusted the default cipher list and preferred SSL/TLS protocol version list (see review.cyanogenmod.org/#/c/51771/), I cannot connect (securely) to my (outdated) E-Mail server of my university. When trying a TLSv1.2 or TLSv1.1, the server cancels the connection attempt with a "Handshake Failure" error, because it only supports TLS1.0 (WTF?!).

I would therefore like to see an option (in the manual account setup) that allows to force the use of SSLv3, TLSv1.0, TLSv1.1 or TLSv1.2.

My vision is something like this: When SSL (strict check or accept any) is selected, a checkbox appears or gets available that says "Force a specific SSL/TLS version". When this is ticked, a dropdown menu becomes available where one can choose the desired encryption protocol version manually.

This would not only help with outdated servers, it would also allow people to force the use of a newer and stronger protocol version, given that the server supports it, although the server would like to use an older one. In short: Help mitigate bidding down attacks.

On a side note: It should say "SSL/TLS", not just "SSL", because "SSL" suggests that only SSLv3 is used.

What do you think?

Best,
schlimmchen

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Option to force encryption protocol (SSL/TLS) version
« Reply #1 on: November 18, 2013, 02:30:58 am »
Happy to hear about CM guys making encryption adjustments for the better of mankind, but do they know the word "compatibility"?

I'm sure they can look it up in a dictionary, maybe even on the web, for convenience.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

schlimmchen

  • Newbie
  • *
  • Posts: 2
Re: Option to force encryption protocol (SSL/TLS) version
« Reply #2 on: November 18, 2013, 02:52:35 pm »
Wow, what a shitty answer, I am really unpleasantly surprised! What did the Cyanogenmod Team ever do to you?! Is there some link you can give me where I can read up on how they f* you over?

I actually would like to see their patch merged in some near-future Android version, so developers and service providers would be more than compelled to update their respective stuff because of all the Android users RIGHTFULLY complaining about poorly implemented/not working encryption. So... I take security over compatibility!

And for the AquaMail part: You, the app developer, can still determine what encryption protocol is used in the end, that is why I am making this feature request in the first place! So in my opinion, it is crappy that apps (mostly) did not take care about using proper ciphers and encryption protocol versions until now.

Sad to hear that this will never be a feature of AquaMail.

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Option to force encryption protocol (SSL/TLS) version
« Reply #3 on: December 02, 2013, 02:05:51 am »
Hello,

They've not done anything to me, I just don't happen to have a passion for custom ROMs personally, whatever...

Let me try it again:

According to what your described, changes in CM broke connectivity to certain mail servers.

"You break it, you fix it", sounds simple enough? Where "you" means "the CM team".
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/