#3571: User should be able to disable TLSv1.1 and TLSv1.2
-------------------------+--------------------------------------------------
Reporter: hncaldwell | Owner: mutt-dev
Type: defect | Status: closed
Priority: minor | Milestone: 1.6
Component: mutt | Version: 1.5.21
Resolution: fixed | Keywords: patch
-------------------------+--------------------------------------------------
Changes (by me):
* status: new => closed
* resolution: => fixed
Old description:
> I ran into a problem where I was unable to connect to an Exchange server
> over imaps with mutt after I had upgraded OpenSSL to version 1.0.1.
>
> After examining some pcaps, I realized that after the upgrade, mutt's TLS
> connection was using TLS version 1.2, which I guess resulted in the
> Exchange server not being able to negotiate the connection:
>
> {{{
> ...
> [2012-03-28 10:46:34] 4< * OK Microsoft Exchange Server 2003 IMAP4rev1
> server version 6.5.7638.1 (hq-es.FASTSOFT.COM) ready.
> [2012-03-28 10:46:34] IMAP queue drained
> [2012-03-28 10:46:34] Right before imap_check_capabilities call 1
> [2012-03-28 10:46:36] 4> a0000 CAPABILITY^M
> [2012-03-28 10:46:36] SSL error: error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number
> [2012-03-28 10:46:36] imap_cmd_step: Error reading server response.
> ...
> }}}
>
> Looking at mutt's code, I realized that there were no options that
> allowed for the explicit selection of a TLS version. I think that there
> should be config options available in order to turn off TLS 1.1 and 1.2.
>
> Attached is a proposed patch to address the problem.
New description:
I ran into a problem where I was unable to connect to an Exchange server
over imaps with mutt after I had upgraded OpenSSL to version 1.0.1.
After examining some pcaps, I realized that after the upgrade, mutt's TLS
connection was using TLS version 1.2, which I guess resulted in the
Exchange server not being able to negotiate the connection:
{{{
...
[2012-03-28 10:46:34] 4< * OK Microsoft Exchange Server 2003 IMAP4rev1
server version 6.5.7638.1 (hq-es.FASTSOFT.COM) ready.
[2012-03-28 10:46:34] IMAP queue drained
[2012-03-28 10:46:34] Right before imap_check_capabilities call 1
[2012-03-28 10:46:36] 4> a0000 CAPABILITY^M
[2012-03-28 10:46:36] SSL error: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
[2012-03-28 10:46:36] imap_cmd_step: Error reading server response.
...
}}}
Looking at mutt's code, I realized that there were no options that allowed
for the explicit selection of a TLS version. I think that there should be
config options available in order to turn off TLS 1.1 and 1.2.
Attached is a proposed patch to address the problem.
--
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3571#comment:6>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
