On Wed, May 23, 2012 at 03:57:57PM -0400, Phil Pennock wrote:
Folks,
OpenSSL 1.0.1 introduced support for TLSv1.1 and TLSv1.2. These are not
used by mutt. This patch fixes that.
Counter-intuitively, the OpenSSL folks have TLSv1_client_method()
negotiate *only* TLSv1.0, and SSLv23_client_method() remains the only
method which can negotiate different versions. This is true at least as
of 1.0.1c (the latest release at time of writing).
The attached patch uses SSLv23_client_method() and SSL_CTX_set_options()
to then disable SSLv2 and SSLv3.
This mail is sent with such a patched mutt, and you should thus see that
the initial Received: header uses the cipher:
TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256
After poking around in the OpenSSL code, it looks like what you
can alternatively do is just use TLSv1_2_client_method() and
openssl will autonegotiate the highest TLSv1.x protocol supported
by both client and server.
I just commited [e6b271ed1d7f] which will make Mutt announce
TLSv1.2 support for STARTTLS when used with OpenSSL.
me
