Version: (using KDE KDE 3.5.5) Installed from: Ubuntu Packages OS: Linux As a result of this report (http://bugs.kde.org/show_bug.cgi?id=54634), DES-CBC3-SHA was excluded from the list of available ciphers (kdelibs/kio/kssl/ksslsettings.cc). To the best of my knowledge, the ADH-DES-CBC3-SHA cipher is the one prone to a man-in-the-middle attack, *not* DES-CBC3-SHA. Googling for either DES-CBC3-SHA or SSL_RSA_WITH_3DES_EDE_CBC_SHA (as it is alternately known) revealed no security warnings.
r516952 | staikos | 2006-03-09 06:16:09 -0500 (Thu, 09 Mar 2006) | 4 lines explicitly remove NULL, FZA, and DES-CBC3-SHA ciphers. Those DES ciphers are problematic, unclear, and not worth the trouble. This actually somewhat solves our problems with respect to problems connecting to some sites.
Can you point me in the direction of something that says that the DES-CBC3-SHA should be avoided? I understand about the NULL, FZA, and ADH-* ciphers, but I can't find anything that says SSL_RSA_WITH_3DES_EDE_CBC_SHA / DES-CBC3-SHA is a problem. If there is a problem in using this cipher, I need to alert a couple people about its use. Thanks.
We had compatibility issues with some sites which, when seeing this cipher, decided that the browser couldn't handle "strong encryption".
Rather than completely removing it because of a couple of sites, why not leave it, but disabled by default? That way, rather than having to recompile all of kdelibs, all it takes is a click to a checkbox? It's not just web browsers that use SSL--in my particular case, I'm trying to connect to an email server that uses DES-CBC3-SHA, and if there's no security problem in using the cipher, then I don't see why it shouldn't at least be available. People who don't need it will likely never even touch the crypto settings, but people who do will have an easy way of re-enabling it. Thanks.
On Friday 13 October 2006 13:19, pc451@yahoo.com wrote: > Rather than completely removing it because of a couple of sites, why not > leave it, but disabled by default? That way, rather than having to > recompile all of kdelibs, all it takes is a click to a checkbox? It's not > just web browsers that use SSL--in my particular case, I'm trying to > connect to an email server that uses DES-CBC3-SHA, and if there's no > security problem in using the cipher, then I don't see why it shouldn't at > least be available. People who don't need it will likely never even touch > the crypto settings, but people who do will have an easy way of re-enabling > it. Thanks. Because I was tired of dealing with bug reports from people who enabled it.
Disabling DES-CBC3-SHA definitely breaks connection to the following site: https://www.eftpssouth.com as reported by BR# 138483. That reported is opened against kio_http, but the issue has to do with the selected cipher. Checking with openssl command line tool you get the following: # openssl s_client -connect www.eftps.com:443 CONNECTED(00000003) depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/ST=Colorado/L=Englewood/O=First Data Corporation/OU=First Data Corporation/CN=www.eftps.com i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDBDCCAm2gAwIBAgIDBndsMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYxMTA4MTUxMzMwWhcNMDcxMTA5MTUxMzMw WjCBjjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMRIwEAYDVQQHEwlF bmdsZXdvb2QxHzAdBgNVBAoTFkZpcnN0IERhdGEgQ29ycG9yYXRpb24xHzAdBgNV BAsTFkZpcnN0IERhdGEgQ29ycG9yYXRpb24xFjAUBgNVBAMTDXd3dy5lZnRwcy5j b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKpDRwnxO4bgNSI2wlHXMjKw qb0Q7hEDZ/oqKzAV98EiRIDq+JaWPtBaE3bch16UlCT+at1XzNXtodlZZueVb9fc yc5gtATypyPojb/LqMs2f1WPl4tUvbzhLjPXfwfNtKIbGpSYLi6ADIvRQysA88gT RFeUZB9+NrS58aVkzDDXAgMBAAGjga4wgaswDgYDVR0PAQH/BAQDAgTwMB0GA1Ud DgQWBBSQceodqnPASHNcv84yoG75vANZ3DA6BgNVHR8EMzAxMC+gLaArhilodHRw Oi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAfBgNVHSMEGDAW gBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB BQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAEPWEQ5Cc/ju3h+M+fDDaxcKTQQhBMnxX fmM2GTxrvYcaoYXmeRcJ6dWcR4j0GsltIqiqL6BkBEMq/uz5/gfO7/EQCKTlnWV6 Z481qWouS2UBrqU0/ywpgI/MNRs2frS6jYyodgv2UDXIeEuUre5BtrjYkHYL5h6X nVTrTz3TTEw= -----END CERTIFICATE----- subject=/C=US/ST=Colorado/L=Englewood/O=First Data Corporation/OU=First Data Corporation/CN=www.eftps.com issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1711 bytes and written 308 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DES-CBC3-SHA Session-ID: 8DCB3B0DE8F760050000000000020162 Session-ID-ctx: Master-Key: 54E2CAA2EC004A09FC7025A2FF284DE863C1125E8411AE9FE341B09BFE5250FF63EC85274B83429A6574C41D29CFF97D Key-Arg : None Start Time: 1189362027 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---
Additional site where this issues rears its head is reported in BR# 131940. I am going to mark BR# 138483 duplicate of this bug as the preceeding one has already been marked duplicate of it. openssl command output: $ openssl s_client -connect www.freecreditreport.com:443 CONNECTED(00000003) depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Irvine/O=Consumerinfo.com/OU=TECHNOLOGY OPERATIONS/OU=Terms of use at www.verisign.com/rpa (c)00/CN=www.freecreditreport.com i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEgjCCA+ugAwIBAgIQdKl+bm6LlYg7Ox6inMlzqjANBgkqhkiG9w0BAQUFADCB ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w NjA5MTEwMDAwMDBaFw0wODA5MTAyMzU5NTlaMIHGMQswCQYDVQQGEwJVUzETMBEG A1UECBMKQ2FsaWZvcm5pYTEPMA0GA1UEBxQGSXJ2aW5lMRkwFwYDVQQKFBBDb25z dW1lcmluZm8uY29tMR4wHAYDVQQLFBVURUNITk9MT0dZIE9QRVJBVElPTlMxMzAx BgNVBAsUKlRlcm1zIG9mIHVzZSBhdCB3d3cudmVyaXNpZ24uY29tL3JwYSAoYykw MDEhMB8GA1UEAxQYd3d3LmZyZWVjcmVkaXRyZXBvcnQuY29tMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQC6kL7aK0dgjzYXX+3ef3LHbcEU+HOmKx77gh/d6AIg ekjUKE8kPHmnujgwO+ZaJEtcT52ulq32rWcpJ2ICXjFKRw5ALM9jKyVlgiLRx8XT umGAxOXhUAOj99GkDIRmZtNawHW4GyAe0bwBdiciRk8nANfjDtEaqpQxnS1Soib6 PQIDAQABo4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8w PTA7oDmgN4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRp b25hbFNlcnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsG AQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8G CWCGSAGG+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAk BggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEM BGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2O a8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28u Z2lmMA0GCSqGSIb3DQEBBQUAA4GBAK87XZhAOfcZSi86rIj2aytOiy+554Ep0/o4 J28g5p9xoIqHoUgd+ewpQdZFRBGwpV+0WY/qrAVUqYFZTlh7zIAKtQVmphW87M2/ LZqsAUe74QCYokXjzJs72zjS7yBdSi9aZPYSNpgRlvSC233CxnKzKSq/h7+uxnWm Hw8Zxj/l -----END CERTIFICATE----- subject=/C=US/ST=California/L=Irvine/O=Consumerinfo.com/OU=TECHNOLOGY OPERATIONS/OU=Terms of use at www.verisign.com/rpa (c)00/CN=www.freecreditreport.com issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign --- No client certificate CA names sent --- SSL handshake has read 2218 bytes and written 308 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DES-CBC3-SHA Session-ID: 6E8701F3C961DD3AEE827FBD4804D1E59109FB992478FE9119D8D6AE688DD983 Session-ID-ctx: Master-Key: B977DE62B6A15204C5E368358C887A9E2479892083AB52ACF0E97D365C8834CF834BB1FFA721316495A2B3B0AF07D07F Key-Arg : None Start Time: 1191067843 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)
*** Bug 138483 has been marked as a duplicate of this bug. ***
Is it possible to get some resolution on this bug? It's a year old and 3 KDE revisions later. I still cannot connect to https://www.eftpssouth.com because the ciper is not available. I'm forced to use Firefox every month to pay my taxes. What does Firefox do to handle the issue?
Created http://bugs.kde.org/show_bug.cgi?id=164295 to try to get this one back into the queue. Original assignee removed himself and I'm afraid this will get lost
*** Bug 164295 has been marked as a duplicate of this bug. ***
This bug has bitten me too. There is a website and email server on my employer's LAN which want to use DES-CBC3-SHA exclusively. Konqueror and Kmail can't connect to them due to the removal of DES-CBC3-SHA in KDE, although Firefox works fine. The only workaround I found was to go into the Crypto control panel and disable both SSLv2 and SSLv3 entirely. This produces a warning message from KDE, but tricks konquerer and kmail into using DES-CBC3-SHA as needed.
Great workaround, Frank! That did the trick. I am concerned about the ramifications, though. Is the connection still encrypted? What security problems does this open up? I might suggest you voting on this bug, otherwise it won't get fixed. My attempt to get this one back on the radar didn't work...
Hello! Sorry to be the bearer of bad news, but this project has been unmaintained for many years so I am closing this bug. Kcontrol has been replaced by System Settings in Plasma. Please give the latest version of that a try, and open a new bug in "systemsettings" if you continue to have an issue. Thank you!