[Bug 70866] Disabling DES-CBC3-SHA makes access to some SSL secured websites fail.

Daniel Pittman daniel at rimspace.net
Wed Nov 8 10:20:01 UTC 2006

Public bug reported:

G'day.  This is a very painful bug, and I suspect one that will be quite

After upgrading to Edgy access to the online banking service offered by
a local bank here in Australia is no longer possible.

This is caused, at heart, by this upstream bug:

>From the report at least one other site has the same problem, which is
that only the DES-CBC3-SHA cipher is acceptable on the server end.

Other web browsers such as Opera and Firefox on Linux and Windows, as
well as Internet Explorer on Windows, do support this cipher and do

At the moment the work-around is to use an alternate web browser -- but
to a non-technical user (where I learned about this) the problem is both
incomprehensible and a significant regression from Dapper.

I will also be adding information to the upstream bug as soon as my new
account in their BTS comes through, but I believe it is appropriate to
ask the Ubuntu team to revert this change and restore compatible

I note that the upstream report lists "incompatibility with some sites"
as the root cause of the problem.  A more correct fix is probably to
demote the cipher set down to the very end of the SSL/TLS list provided
the server, ensuring that it is negotiated if and only if no other
cipher is acceptable to the server.

That should provide maximum bug-compatibility without compromising

Regards, Daniel.

** Affects: kdelibs (Ubuntu)
     Importance: Undecided
         Status: Unconfirmed

Disabling DES-CBC3-SHA makes access to some SSL secured websites fail.

More information about the kubuntu-bugs mailing list