Version: (using KDE KDE 3.5.2) Installed from: Gentoo Packages OS: Linux The following URL does not work in Konqueror with kde 3.5.2 but works fine in lynx, firefox, msie, etc.. http://www.netbank.commbank.com.au/netbank/ The error reported is: ** An error occurred while loading http://www.netbank.commbank.com.au/netbank/: Could not connect to host www3.netbank.commbank.com.au. ** At first I thought it was a network configuration problem, however i soon discovered that only konqueror was unable to access this website.
It redirects to SSL and then gets this error: kssl: Setting real hostname: www3.netbank.commbank.com.au kssl: KSSL connect failed - rc = 0 kssl: ERROR = 1 2215:error:14094410:lib(20):func(148):reason(1040):s3_pkt.c:1057:SSL alert number 40 kio (KIOJob): error 23 www3.netbank.commbank.com.au George, any idea?
On Monday 03 April 2006 20:36, Thiago Macieira wrote: > 2215:error:14094410:lib(20):func(148):reason(1040):s3_pkt.c:1057:SSL alert > number 40 kio (KIOJob): error 23 www3.netbank.commbank.com.au > > George, any idea? That is: SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE Try playing with the SSL settings?
Nothing I tried helped. I tried setting to Most Compatible, turning SSLv2 on and off, turned off all ciphers of < 128 bits, etc.
I have also been unable to get this page to display by playing with SSL settings. The site only stopped working upon upgrading to kde 3.5.2 All previous versions have had no trouble with the site.
> ------- Additional Comments From thiago kde org 2006-04-04 08:59 ------- > Nothing I tried helped. I tried setting to Most Compatible, turning SSLv2 > on and off, turned off all ciphers of < 128 bits, etc. How about turning off all ciphers except RC4-MD5? Maybe the site doesn't like newer ciphers.
Still doesn't load.
Quite certain that this is related to the fact that I removed 3DES-EDE-CBC (168). This is the exact inverse of Lars' problem, and he wins. :-) Actually that cipher is misleading in general since it's weaker than it looks. IMHO: WONTFIX
Site is stupid. Requires 3DES-EDE-CBC. We deprecated and removed it. (Note: it actually breaks other sites when we do have it) Ask them to fix their servers.
So Konqueror will be the only browser to not work with the netbanking website of one of Australia's most popular banks? Why have no others browsers deprecated 3DES-EDE-CBC (or are they planning to?) What other sites are broken by the inclusion of this ciper and are they broken in other browsers? I believe it would be almost impossible to convince a large financial institution to change ciphers merely because of a small mount of people using some obscure browser that the average person has never heard of. I feel that this is a very major regression. If konqueror devs won't fix this issue could somebody at least point me to an svn commit or a patch somewhere that I can reverse to bring back the needed functionality?
Don't reopen WONTFIX bugs.
On Wednesday 05 April 2006 04:51, Raymond Lewis Rebbeck wrote: > ------- So Konqueror will be the only browser to not work with the > netbanking website of one of Australia's most popular banks? For now. > Why have no others browsers deprecated 3DES-EDE-CBC (or are they planning > to?) What other sites are broken by the inclusion of this ciper and are > they broken in other browsers? Other browsers are also considering doing so. The bank is misguided. > I believe it would be almost impossible to convince a large financial > institution to change ciphers merely because of a small mount of people > using some obscure browser that the average person has never heard of. Tell them that they misunderstand the strength of 3DES-EDE-CBC. > I feel that this is a very major regression. If konqueror devs won't fix > this issue could somebody at least point me to an svn commit or a patch > somewhere that I can reverse to bring back the needed functionality? kdelibs/kio/kssl/ksslsettings.cc would be a good start. If you re-enable this, you will just break other sites though.
> Other browsers are also considering doing so. The bank is misguided. Do you know where I can find some information regarding this? I wasn't able to find anything about deprecating this cipher with google and asking around on irc regarding other browsers. > Tell them that they misunderstand the strength of 3DES-EDE-CBC. I have sent them a message through their online technical query page. Although I doubt i'll receive more than an automated response. I will attempt to contact someone through alternate means if I don't hear anything back from them. >kdelibs/kio/kssl/ksslsettings.cc would be a good start. If you re-enable this, you will just break other sites though. I've never had any problems with encrypted sites with any earlier versions of kde. I would just like to temporarily resolve the issue on my end until the bank changes cipher. Also did you have examples of sites that break with the inclusion of 3DES-EDE-CBC and are these sites still broken in other browsers?
On Wednesday 05 April 2006 10:06, Raymond Lewis Rebbeck wrote: > > Other browsers are also considering doing so. The bank is misguided. > > Do you know where I can find some information regarding this? I wasn't able > to find anything about deprecating this cipher with google and asking > around on irc regarding other browsers. I know this through personal communications (face-to-face meetings, etc) with some of them. Opera, for instance, already pushes 3DES down the cipher list. Konqueror on the other hand now support AES and new strong ciphers that even IE doesn't support yet. The decision was made to go forward today. The broken sites just have to be fixed. A site that doesn't support 128-bit RC4-SHA but does support 168-bit 3DES-EDE-CBC is broken from my point of view. > I have sent them a message through their online technical query page. > Although I doubt i'll receive more than an automated response. I will > attempt to contact someone through alternate means if I don't hear anything > back from them. Yes, it's very hard to get a response. > I've never had any problems with encrypted sites with any earlier versions > of kde. I would just like to temporarily resolve the issue on my end until > the bank changes cipher. Right. You also browse a very small portion of the web. I get to deal with thousands of people who browse very different small portions of the web, so I get a bigger picture of what's happening. > Also did you have examples of sites that break with the inclusion of > 3DES-EDE-CBC and are these sites still broken in other browsers? http://app.nordea.no/web/login.nsf/login?ReadForm It may not be broken in other browsers, but other browsers don't use OpenSSL too.
Created attachment 15478 [details] Patch to reenable the missing cipher in kdelibs
Thanks for putting up with me George. I have attached a patch to reenable the missing cipher in kdelibs 3.5.2 for those need to use it for stupid websites.
*** Bug 125340 has been marked as a duplicate of this bug. ***
*** Bug 125556 has been marked as a duplicate of this bug. ***
Any chance of some guidance/links to more technical information? Some stuff about the problem, the issue with the strength of 3DES-EDE-CBC, why enabling it fixes some but breaks other sites, and why exactly "a site that doesn't support 128-bit RC4-SHA but does support 168-bit 3DES-EDE-CBC is broken"? I'd like to be well armed before I go petitioning CommBank to change. Which gives me an idea... anyone for an actual petition? How many Konqueror/CommBank users are there? :)
1. Petition to CBA will do us no good. I have a colleague that worked for NAB and he told me that project like this would take the bank min of 6 months to complete. Their change processes are regulated by law and require enormous amount of documentation to be done before the actual work. Price of this change could easily be in millions of dollars. So unless Konqueror users represent significant percentage of their customers bank will not make a change. Unless I am mistaken Linux has less than 3% of desktop market and Konqueror probably has less than half of that since most people on Linux use Firefox (and Firefox doesn't have the same problem). 2. From the comments trail in this issue my understanding is that problem isn't that CBA doesn't support 128-bit RC4-SHA it's that KDE removed the support for 168-bit 3DES-EDE-CBC. It's nice to see that KDE supports AES but why shoot yourself in the foot by removing support for other chiper algorithms? Removal of this kind of "legacy" code should be handled through configuration not by removing code and leaving users no way of fixing the problem other than recompiling.
Yes the bank site is broken, yes it will take a long time to fix. Sorry. Case closed. For more info, do some web searches.
I understand that, and I'm not trying to change your mind. I'm trying to understand what your reasoning for removing it completely is, and web searches aren't helping me much.... In any case, konqueror could surely display an error message more specific than the one it does. "Could not connect" is awfully generic.
On Monday 17 April 2006 01:50, Brendon Higgins wrote: > ------- I understand that, and I'm not trying to change your mind. I'm > trying to understand what your reasoning for removing it completely is, and > web searches aren't helping me much.... It was discussed at length on kde-core-devel and with other web browser developers. The cipher is weaker than it looks, and it breaks some sites entirely. > In any case, konqueror could surely display an error message more specific > than the one it does. "Could not connect" is awfully generic. We don't have much info on this one. We rely on OpenSSL when we do have info.
Thanks, George! I finally found the thread I think you're referring to, after having the inspiration to search for 'SSL' rather than '3DES'. Interesting reading...
George, I urge you to reconsider the implementation of the fix for the issue that required 168-bit 3DES-EDE-CBC chiper to be removed. I understand that it's strength is misleading and that some sites may be broken because they don't support it correctly. The problem is that removing it completely breaks other sites. Why couldn't this chiper stay in the list but be pushed below the 128 bit chipers? Or if that is too hard to implement then disable it by default but leave us the option to use it if we want or have to. It seems this is how some of the 40 and 56 bit chipers are configured. KDE has always been my favorite environment because of it's flexibility and quick response to user issues. Please don't make me use firefox more than absolutely necessary!
Because re-enabling it breaks other sites. So far, the only website to require the misguided cipher so far is commbank.com.au.
http://www.centrelink.gov.au/internet/internet.nsf/online_services/index.htm (click the logon button on the right) is also broken by the removal of this cipher. Odd that two Australian sites are using this cipher, I wonder how many other Australian government/financial sites are broken by it's removal.
Thiago, I acknowledge that chiper strength is misleading in that it is really only 112 bits instead of reported 168 bits but that doesn't mean that it needs to be removed from KDE, specially now when you know that there are people out there who do need it. You haven't removed any other low strength 40 and 56 bit chipers, you have disabled them by default. If there are websites that are somehow broken because they don't implement this one chiper correctly then maybe those sites should be fixed? Or at least the user can disable the said chiper from the Crypto SSL3 configuration. You can't possibly claim that disabling a chiper is harder for user to do than recompiling the KDE libs to re-enable it....every time there is a new KDE release! If disabling the chiper doesn't work for the web site in question than maybe there is another issue in KDE that needs to be fixed.
The decision has been made. I'm sorry. The bank should REALLY start doing something, because other browsers will soon do the same (comment #13).
I consider this closed. If you want to make a patch, feel free to. If it doesn't interfere with any other site and doesn't introduce new bugs or regressions, I will consider applying it, but I won't be doing any work here.
*** Bug 126392 has been marked as a duplicate of this bug. ***
Thanks George for the explanation. Thanks Raymond for the patch, re-enabling 3DES-EDE-CBC now. I'm also wholly confused at the reasoning behind such a bad decision. Fixing the breakage of some sites by breaking even more would seem IMHO to be bad judgement. This one commit has totally alienated all users in Australia who use Konqueror for banking or governmental transactions. Considering that each cipher may already be enabled/disabled seperately via it's own checkbox in Konqueror's configuration settings, makes it's removal even more wonderous. In Konqueror-3.5.1, does the disabling of the 3DES-EDE-CBC cipher checkbox in Konqueror's configuration settings still break the reported 'other sites' ? If it does, then this is bad coding at Konqueror's end. The 'stupid' sites created by the Australian government and some financial institutions may or may not change in the future (good luck with the petition Brendon), but all we can do as users now, is keep maintaining the patch for future kdelibs releases and urge all distribution package maintainers to do the same.
> (good luck with the petition Brendon) Ha! I was only half serious. I've got plenty of things to do other than chase up this crap. I don't quite understand why it's been removed entirely, and not just disabled by default, myself. And I would use the patch, but that'd mean I'd have to download kdebase source over dialup. >:P Bugger that. > In Konqueror-3.5.1, does the disabling of the 3DES-EDE-CBC cipher checkbox in Konqueror's configuration settings still break the reported 'other sites' ? I just tried it, but my results are inconclusive. I think the only example site given is down, or having technical issues, or something. I can't exactly tell because I don't speak it's language. All I know is that turning the relevent ciphers on/off makes no difference, newer KDE makes no difference, Firefox makes no difference. In any case, you can stop netbank working by disabling CBC3 ciphers. I'm not sure which one/s, so I just disabled all CBC3 ones and then the page wouldn't load again. Whether this corresponds to fixing breakage of other sites, I don't know.
Apparently the Ubuntu devs think the patch is worth it, it just went to their official packages for dapper.
Ubuntu devs should be aware that reenabling this cipher may break other sites. They should verify all websites in this bug report and related/duplicates.
Gentoo users wishing to have the option of enabling the patch should turn on the '+legacyssl' USE flag for kde-base/kdelibs as of version 3.5.2-r4. The Norwegian site cited by George as not working with the cipher enabled, works fine here. Thiago could you please provide a more comprehensive sample list of websites that break when the cipher is enabled, thanks.
This is getting old
reclosing
Just wanted to add 2 more mayor Belgian (European) financial institutions to the list: http://www.kbc.be http://www.dexia.be Both use 3DES-EDE-CBC for there online banking and are inaccessible with konkueror. Thanks to Rick Harris for the '+legacyssl' USE flag tip!