[Bug 44311] KSSL problems

[leonbottou]

Public bug reported:


I noticed some SSL strangeness on Dapper Flight 7

The first example arises with the Fidelity web site
because they check that the encryption level
is sufficient, probably using a slightly flawed 
algorithm.

1)  Go to kcontrol/crypto, enable everything
     Go to https://www.fidelity.com.
     Using the security icon in the konqueror status
     bar, you can check that it uses AES256-SHA.
 
2)  Click the login button.
     Chances are that you go to a page explaining 
     that you do not have 128 bit
     encryption.  Note that this is working
     on breezy/kubuntu-3.5.2.

3)  Return to the crypto configuration and
     select the 'most compatible' ciphers.
     This disable AES256-SHA in principle.
     Click apply.  Reload the Fidelity home page. 
     Check the encryption with the lock icon. 
     Still AES256-SHA despite being disabled!!!!

4) Disable SSLv3 in the crypto dialog.
    This time Fidelity loads in SSLv2 128 bits.
    Login still does not work..

The second problem was reported in bug #32846 
in kdepim. I am not sure they are related.
I had similar problems a few years ago.
They were caused by running kssl with
an openssl version different from that
used for compiling kssl.

I check 'security issue' because ssl is a key
security component. Malfunction is dangerous.

- L. B.

** Affects: kdelibs (Ubuntu)
       Severity: Normal
       Priority: (none set)
         Status: Unconfirmed

-- 
KSSL problems
https://launchpad.net/bugs/44311