What to do about SSL strength

George Staikos staikos at kde.org
Tue Mar 7 21:14:09 GMT 2006


On Tuesday 07 March 2006 13:58, Thiago Macieira wrote:
> George Staikos wrote:
> >  I'm really frustrated.  All along, my goals with KSSL were to be
> > secure, but most importantly compatible.  I finally broke down and
> > threw away the "compatibility preferences" list in 3.5.x as we had too
> > many users complaining that KSSL negotiated 'weak' ciphers.  This where
> > 'weak' == 128bit.  Well, now we're back to bug reports that KSSL can
> > no-longer talk to servers.  It's definitely about broken servers, but
> > there is nothing we can do to have them fixed.  The result is that
> > people can't login to their bank or favorite store because they're told
> > that Konqi doesn't support strong SSL. (Meanwhile, the cipher
> > negotiated is 168bit or stronger.)  My personal view is that we go back
> > to the preferences list and people can forget about unsupported modern
> > SSL ciphers for now.  Any thoughts on this?
>
> Let me understand this correctly:
>
> - you made it so that we negotiate ciphers of 168 bits or stronger
> - as a result, servers tell us we don't support strong encryption

  Yes.

> Are those servers trying to use 128-bit as "strong"?

   Basically they have "if (bits(cipher) != 128) { error('weak crypto 
unsupported'); }"

> Or is that just a negotiation problem?

  No we negotiate just fine in this case.  There are cases where negotiation 
on the server fails though, because they see unsupported ciphers.

  Right now we just look broken.  Maybe we won't look as broken after Vista is 
released...

-- 
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/




More information about the kde-core-devel mailing list