What to do about SSL strength

Thiago Macieira thiago at kde.org
Tue Mar 7 18:58:02 GMT 2006


George Staikos wrote:
>  I'm really frustrated.  All along, my goals with KSSL were to be
> secure, but most importantly compatible.  I finally broke down and
> threw away the "compatibility preferences" list in 3.5.x as we had too
> many users complaining that KSSL negotiated 'weak' ciphers.  This where
> 'weak' == 128bit.  Well, now we're back to bug reports that KSSL can
> no-longer talk to servers.  It's definitely about broken servers, but
> there is nothing we can do to have them fixed.  The result is that
> people can't login to their bank or favorite store because they're told
> that Konqi doesn't support strong SSL. (Meanwhile, the cipher
> negotiated is 168bit or stronger.)  My personal view is that we go back
> to the preferences list and people can forget about unsupported modern
> SSL ciphers for now.  Any thoughts on this?

Let me understand this correctly:

- you made it so that we negotiate ciphers of 168 bits or stronger
- as a result, servers tell us we don't support strong encryption

Are those servers trying to use 128-bit as "strong"? Or is that just a 
negotiation problem?
-- 
  Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358

2. Tó cennan his weorc gearu, ymbe se circolwyrde, wearð se cægbord and se 
leohtspeccabord, and þa mýs cómon lator. On þone dæg, he hine reste.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20060307/c71fd8a8/attachment.sig>


More information about the kde-core-devel mailing list