Hi Christer,

--On October 18, 2014 at 5:49:08 PM +0200 Christer Mjellem Strand
A code change is needed to make it work properly. However, if you are using
a local preferences file what you can do is grep that file for the string
"SSLv3Real" and change that to "TLSv1". That will trick Mulberry into using
the "STARTTLS - TLSv1" option that is otherwise disabled in the preferences
dialog.

For anyone wanting to tweak the code, here is the diff I am currently using
(note line numbers will be way off as I have some other uncommitted changes
in that file right now - but the general approach is to switch to the v23
method to use all the time but use the SSL_OP_NO_XXX to turn of the
undesirable methods):

Index: Mulberry/Sources_Common/Mail/Network/CTLSSocket.cp
===================================================================
--- CTLSSocket.cp (revision 491)
+++ CTLSSocket.cp (working copy)@@ -477,11 +617,9 @@
{
case 1:
case 4:
+ case 2:
m_ctx = ::SSL_CTX_new(::SSLv23_client_method());
break;
- case 2:
- m_ctx = ::SSL_CTX_new(::SSLv3_client_method());
- break;
case 3:
m_ctx = ::SSL_CTX_new(::TLSv1_client_method());
break;
@@ -493,7 +631,7 @@
}

// Work around all known bugs
- ::SSL_CTX_ctrl(m_ctx, SSL_CTRL_OPTIONS, SSL_OP_ALL, NULL);
+ ::SSL_CTX_ctrl(m_ctx, SSL_CTRL_OPTIONS, SSL_OP_ALL | SSL_OP_NO_SSLv2
| SSL_OP_NO_SSLv3, NULL);

Hi Cyrus, thanks for responding so quickly.
I tried this before posting, and while this does seem to work in terms
of forcing it to use STARTTLS - TLSv1, unfortunately this doesn't
really help since the protocols affected are the same ones that don't
use STARTTLS (HTTP et al).

David R Bosso kindly tipped me off off-list however that the SSLv23
method, where available, does include TLSv1. This has fixed the problem
for me in Linux, where Mulberry is built against a relatively recent
version of OpenSSL. In Windows (using 4.0.8), however, only the
STARTTLS - TLSv1 and SSLv3 optons are available - not the SSLv23 option.
[..]

Thanks for that - I'll be sure to include these the next time I
rebuild. I also intend to play around with TLS Interposer[1], which I'm
already using for several pieces of server-based software that lack
configurable ciphers. Looking at its source, it seems to me the
necessary changes to add support for ECDHE ciphers would be a matter of
a few lines, which would seem a worthwhile effort for someone touching
this code.

This still leaves the Windows version though - I wouldn't have a clue
where to even begin trying to build that myself.. :| The last time I
tried the 4.0.9a1 version I quickly ran into installer problems and
reverted - would that version perhaps include changes that would allow
the SSLv23 option to be used?
If not, are there any plans to make a rebuilt Windows download
available? Does anyone even have a functioning development environment
for Mulberry in Windows anymore? :}

Thanks again.

[1] <https://netfuture.ch/tools/tls-interposer/>

--On Saturday, 18 Oct 2014 22:08:37 -0400, Cyrus Daboo
Cyrus,

I just searched my local preferences file (Mulberry 4.0.8,
Windows XP) for "SSLv3Real" and found nothing like it. Several
instances of "SSLv3" but no "Real".

Suggestions, or is this the point at which the Windows version
has to be declared terminally ill?

best,
john