'[Bug 86332] Support for newer ciphers in OpenSSL'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-bugs-dist
Subject:    [Bug 86332] Support for newer ciphers in OpenSSL
From:       George Staikos <staikos () kde ! org>
Date:       2004-08-06 16:07:45
Message-ID: 20040806160745.5679.qmail () ktown ! kde ! org
[Download RAW message or body]

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
      
http://bugs.kde.org/show_bug.cgi?id=86332      




------- Additional Comments From staikos kde org  2004-08-06 18:07 -------
On Friday 06 August 2004 07:58, Fridtjof Busse wrote:
> ------- Additional Comments From kde fbunet de  2004-08-06 13:58 -------
> That's exactly my request and the reason I did this bugreport. But George
> disagrees, see #2 and #17 (and most of the other comments). I'd like to see
> openssl do the handshake. Currently, there's no way to get konqueror use
> AES or anything better than RC4-MD5 (without switching it off and breaking
> compatibility). I've never experienced problems with openssl-handshake, it
> always choose the strongest cipher available.

   How many times do I have to repeat?  We had many bugs reported, and I 
discovered many other sites on my own, where Konqueror was not compatible 
with the server.  This is not theoretical, this is real-world stuff.  In many 
cases it was due to crappy server software, but that's irrelevant from my 
perspective.  If it works with IE, it has to work with Konqueror.  We also 
had to deal with crypto export rules (thereby disabling ciphers in Konqueror 
even if they're available in OpenSSL - yes this is a "real world situation"), 
we had to remove ADH ciphers (as-per RFC2246) since OpenSSL doesn't remove 
them by default, we had to push some ciphers down in priority and others up 
in priority to make certain servers talk to us, we had requests to make the 
list configurable for those who don't trust ciphers X or Y, and we had cases 
where OpenSSL by default was negotiating, as people claimed, "weaker ciphers" 
than necessary with the server.  If OpenSSL has a way to compare cipher 
strength (whatever that means), then we'll support it.  Otherwise, wait for 
the next KDE release and if I get time, I'll add the new ciphers into 
Konqueror's "acceptable" list assuming they pass at least some of my 
testcases.

  Finally, why is RC4-MD5 the top cipher on the list?  Because there were 
(real) sites out there that just wouldn't talk to us otherwise and I hadn't 
found any other cipher that works.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic