AquaMail Forum

English - Android => Bug reports => Topic started by: ItsNannerpuss on June 09, 2014, 10:01:41 am

Title: Insecure cipher selection with AquaMail
Post by: ItsNannerpuss on June 09, 2014, 10:01:41 am

I use AquaMail on an Android 4.4.2 device to connect to a private postfix server via SSL.  While reviewing my server's logs I noticed that connections originating from AquaMail are using TLSv1 with cipher RC4-MD5.  RC4 and MD5 are considered quite weak ciphers these days, and I was surprised to see them in use.  This is not a limitation of my server, as I can see traffic coming from other third party servers as well as my other clients using much stronger encryption (DHE-RSA-AES256-SHA, ECDHE-RSA-RC4-SHA, ECDHE-RSA-AES256-GCM-SHA384...).

I haven't found anywhere in AquaMail where these encryption parameters are configurable.  Is it a known limitation that AquaMail doesn't support stronger encryption, or is the app failing to negotiate the ideal ciphers for some reason? 

Title: Re: Insecure cipher selection with AquaMail
Post by: Kostya Vasilyev on June 09, 2014, 03:20:27 pm

Development builds (get them on this forum) have a setting for "SSL hardening", in app settings -> networking.