Sites using perfectly safe crypto like https://dh2048.badssl.com/ can no longer be opened in Konqueror 17.04.1. The linked version of OpenSSL has no problem dealing with DHE crypto (1.1.0f). This breaks numerous sites which don’t enable ECDHE crypto. Also, other browsers like elinks, Firefox or even Konqueror/KHTML don’t have any trouble connecting to the same host. Observed on FC26; system facts: $ uname -a Linux drift.m.i2n 4.13.5-200.fc26.x86_64 #1 SMP Thu Oct 5 16:53:13 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qi konqueror Name : konqueror Version : 17.04.1 Release : 1.fc26 Architecture: x86_64 Install Date: Sat 21 Oct 2017 08:42:08 PM CEST Group : Unspecified Size : 20779960 License : GPLv2+ and LGPLv2+ and GFDL Signature : RSA/SHA256, Mon 22 May 2017 04:05:12 PM CEST, Key ID 812a6b4b64dab85d Source RPM : konqueror-17.04.1-1.fc26.src.rpm Build Date : Mon 15 May 2017 04:30:36 PM CEST Build Host : buildhw-07.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : https://konqueror.org/ Summary : KDE File Manager and Browser Description : Konqueror allows you to manage your files and browse the web in a unified interface. $ rpm -qi openssl Name : openssl Epoch : 1 Version : 1.1.0f Release : 7.fc26 Architecture: x86_64 Install Date: Sat 21 Oct 2017 08:31:28 PM CEST Group : System Environment/Libraries Size : 879141 License : OpenSSL Signature : RSA/SHA256, Mon 17 Jul 2017 06:43:43 PM CEST, Key ID 812a6b4b64dab85d Source RPM : openssl-1.1.0f-7.fc26.src.rpm Build Date : Mon 17 Jul 2017 03:33:59 PM CEST Build Host : buildhw-08.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.openssl.org/ Summary : Utilities from the general purpose cryptography library with TLS implementation Description : The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols.
The user visible “error” message is very misleading as well since none of the ciphers or protocols used for the connection is in any way to considered “obsolete”: This site can’t provide a secure connection dh2048.badssl.com uses an unsupported protocol. ERR_SSL_OBSOLETE_CIPHER Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite.
Webengine and therefore webenginepart doesnt use system openssl, it uses system libnss for certificate checks and Chromiums openssl-fork boringssl for encryption.
Created attachment 108533 [details] patch for FC26 qt5-qwebengine RPM This patch skips the “ERR_SSL_OBSOLETE_CIPHER” error for EDH ciphers. It applies against the bundled chromium which differs in version from the system wide chromium package. System: Fedora 26, Qtwebenengine version 5.9.1.
Thank you for reporting this issue in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version? If you can reproduce the issue, please change the status to "REPORTED" when replying. Thank you!
Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone!
This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone!