Bug 386108 - DHE crypto not working with Konqueror 17.04.1 / QtWebEngine
Summary: DHE crypto not working with Konqueror 17.04.1 / QtWebEngine
Status: RESOLVED WORKSFORME
Alias: None
Product: konqueror
Classification: Applications
Component: webenginepart (show other bugs)
Version: unspecified
Platform: Fedora RPMs Linux
: NOR normal
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-23 13:14 UTC by Philipp
Modified: 2022-12-10 05:15 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
patch for FC26 qt5-qwebengine RPM (1.25 KB, patch)
2017-10-24 07:48 UTC, Philipp 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp 2017-10-23 13:14:40 UTC 
Sites using perfectly safe crypto like https://dh2048.badssl.com/
can no longer be opened in Konqueror 17.04.1. The linked version
of OpenSSL has no problem dealing with DHE crypto (1.1.0f).

This breaks numerous sites which don’t enable ECDHE crypto. Also,
other browsers like elinks, Firefox or even Konqueror/KHTML don’t
have any trouble connecting to the same host.

Observed on FC26; system facts:

    $ uname -a
    Linux drift.m.i2n 4.13.5-200.fc26.x86_64 #1 SMP Thu Oct 5 16:53:13 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

    $ rpm -qi konqueror
    Name        : konqueror
    Version     : 17.04.1
    Release     : 1.fc26
    Architecture: x86_64
    Install Date: Sat 21 Oct 2017 08:42:08 PM CEST
    Group       : Unspecified
    Size        : 20779960
    License     : GPLv2+ and LGPLv2+ and GFDL
    Signature   : RSA/SHA256, Mon 22 May 2017 04:05:12 PM CEST, Key ID 812a6b4b64dab85d
    Source RPM  : konqueror-17.04.1-1.fc26.src.rpm
    Build Date  : Mon 15 May 2017 04:30:36 PM CEST
    Build Host  : buildhw-07.phx2.fedoraproject.org
    Relocations : (not relocatable)
    Packager    : Fedora Project
    Vendor      : Fedora Project
    URL         : https://konqueror.org/
    Summary     : KDE File Manager and Browser
    Description :
    Konqueror allows you to manage your files and browse the web in a
    unified interface.

    $ rpm -qi openssl
    Name        : openssl
    Epoch       : 1
    Version     : 1.1.0f
    Release     : 7.fc26
    Architecture: x86_64
    Install Date: Sat 21 Oct 2017 08:31:28 PM CEST
    Group       : System Environment/Libraries
    Size        : 879141
    License     : OpenSSL
    Signature   : RSA/SHA256, Mon 17 Jul 2017 06:43:43 PM CEST, Key ID 812a6b4b64dab85d
    Source RPM  : openssl-1.1.0f-7.fc26.src.rpm
    Build Date  : Mon 17 Jul 2017 03:33:59 PM CEST
    Build Host  : buildhw-08.phx2.fedoraproject.org
    Relocations : (not relocatable)
    Packager    : Fedora Project
    Vendor      : Fedora Project
    URL         : http://www.openssl.org/
    Summary     : Utilities from the general purpose cryptography library with TLS implementation
    Description :
    The OpenSSL toolkit provides support for secure communications between
    machines. OpenSSL includes a certificate management tool and shared
    libraries which provide various cryptographic algorithms and
    protocols.
Comment 1 Philipp 2017-10-23 13:38:55 UTC 
The user visible “error” message is very misleading as well
since none of the ciphers or protocols used for the connection
is in any way to considered “obsolete”:

This site can’t provide a secure connection

dh2048.badssl.com uses an unsupported protocol.
ERR_SSL_OBSOLETE_CIPHER

Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
Comment 2 Allan Sandfeld 2017-10-23 17:30:47 UTC 
Webengine and therefore webenginepart doesnt use system openssl, it uses system libnss for certificate checks and Chromiums openssl-fork boringssl for encryption.
Comment 3 Philipp 2017-10-24 07:48:33 UTC 
Created attachment 108533 [details]
patch for FC26 qt5-qwebengine RPM

This patch skips the “ERR_SSL_OBSOLETE_CIPHER” error for
EDH ciphers. It applies against the bundled chromium which
differs in version from the system wide chromium package.

System: Fedora 26, Qtwebenengine version 5.9.1.
Comment 4 Justin Zobel 2022-11-10 08:51:55 UTC 
Thank you for reporting this issue in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version?

If you can reproduce the issue, please change the status to "REPORTED" when replying. Thank you!
Comment 5 Bug Janitor Service 2022-11-25 05:18:59 UTC 
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 6 Bug Janitor Service 2022-12-10 05:15:54 UTC 
This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!