Bug 135545 - konqueror does not support DES-CBC3-SHA cypher
Summary: konqueror does not support DES-CBC3-SHA cypher
Status: RESOLVED INTENTIONAL
Alias: None
Product: konqueror
Classification: Applications
Component: general (show other bugs)
Version: unspecified
Platform: Debian testing Linux
: NOR normal
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-10-12 23:35 UTC by Pawel Orzechowski
Modified: 2007-10-06 14:28 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pawel Orzechowski 2006-10-12 23:35:27 UTC
Version:            (using KDE KDE 3.5.5)
Installed from:    Debian testing/unstable Packages
OS:                Linux

When I try to connect to https://www.millenet.pl/osobiste/Default.aspx, I get following error (with firefox the site opens correctly):
"No Shared Cipher

Your browser is unable to negotiate a security level which satisfies the requirements of this site. For security reasons, this Web site may require strong encryption. To gain access to this site, you may try any or all of the following:
1) Change your browser's security settings to support the appropriate level of encryption (the cipher suites supported by this site are listed above). 
2) Update your browser to a version that supports the appropriate level of encryption.
3) Apply the "strong-encryption" option pack to your operating system.
4) If in the United States, verify that you are using a recent domestic version of your browser.
5) Contact this site's administrator for assistance.
Security Details:
 
Browser ciphers:
 RC4-SHA
 RC4-MD5
 EDH-RSA-DES-CBC-SHA
 EDH-DSS-DES-CBC-SHA
 DES-CBC-SHA
 

Secure Site ciphers:
 DES-CBC3-SHA"
Comment 1 George Staikos 2006-10-13 00:04:14 UTC
This cipher was problematic on other sites.  I already answered this to someone today.  A site that forces only this cipher is broken.
Comment 2 Daniel Pittman 2006-11-09 03:16:57 UTC
G'day.  I can see that this bug is marked as WONTFIX, but my hope is to convince you to change your mind.

This particular limitation on Konqueror causes non-trivial problems here in Australia as several of our banks only offer the DES-CBC3-SHA cipher.  With the recent release of KDE with this change they are no longer accessible.

I don't dispute that the cipher in question has caused problems with other sites, but I would like to suggest a different resolution.

The other web browsers I tested (Opera and Firefox, Linux and Windows, and IE6) all offer the cipher in their selection but, as far as I can see, a ways down the priority list.

That means, by convention, that the remote server will prefer other ciphers to DES-CBC3-SHA where possible, but can still use that if they require it.

That should, hopefully, address the compatibility problems with other sites without compromising the usability of Konqueror on the web.  

Finally, while I agree that sites forcing that one specific cipher is odd it isn't technically broken, as the SSL standards do permit that use -- even if it isn't necessarily a very clever choice on their part.

Regards,
       Daniel
Comment 3 karaluh 2007-10-06 14:28:01 UTC
I agree with above. As there is no chance that the banks would change ciphers, konqueror should somehow deal with it, as Firefox does.