[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-bugs-dist
Subject: [Bug 86332] Support for newer ciphers in OpenSSL
From: George Staikos <staikos () kde ! org>
Date: 2004-08-06 16:07:45
Message-ID: 20040806160745.5679.qmail () ktown ! kde ! org
[Download RAW message or body]
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
http://bugs.kde.org/show_bug.cgi?id=86332
------- Additional Comments From staikos kde org 2004-08-06 18:07 -------
On Friday 06 August 2004 07:58, Fridtjof Busse wrote:
> ------- Additional Comments From kde fbunet de 2004-08-06 13:58 -------
> That's exactly my request and the reason I did this bugreport. But George
> disagrees, see #2 and #17 (and most of the other comments). I'd like to see
> openssl do the handshake. Currently, there's no way to get konqueror use
> AES or anything better than RC4-MD5 (without switching it off and breaking
> compatibility). I've never experienced problems with openssl-handshake, it
> always choose the strongest cipher available.
How many times do I have to repeat? We had many bugs reported, and I
discovered many other sites on my own, where Konqueror was not compatible
with the server. This is not theoretical, this is real-world stuff. In many
cases it was due to crappy server software, but that's irrelevant from my
perspective. If it works with IE, it has to work with Konqueror. We also
had to deal with crypto export rules (thereby disabling ciphers in Konqueror
even if they're available in OpenSSL - yes this is a "real world situation"),
we had to remove ADH ciphers (as-per RFC2246) since OpenSSL doesn't remove
them by default, we had to push some ciphers down in priority and others up
in priority to make certain servers talk to us, we had requests to make the
list configurable for those who don't trust ciphers X or Y, and we had cases
where OpenSSL by default was negotiating, as people claimed, "weaker ciphers"
than necessary with the server. If OpenSSL has a way to compare cipher
strength (whatever that means), then we'll support it. Otherwise, wait for
the next KDE release and if I get time, I'll add the new ciphers into
Konqueror's "acceptable" list assuming they pass at least some of my
testcases.
Finally, why is RC4-MD5 the top cipher on the list? Because there were
(real) sites out there that just wouldn't talk to us otherwise and I hadn't
found any other cipher that works.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic