[Bug 70866] Disabling DES-CBC3-SHA makes access to some SSL secured websites fail.

[Daniel Pittman]

Public bug reported:

G'day.  This is a very painful bug, and I suspect one that will be quite
contentious.

After upgrading to Edgy access to the online banking service offered by
a local bank here in Australia is no longer possible.

This is caused, at heart, by this upstream bug:
http://bugs.kde.org/show_bug.cgi?id=135545

>From the report at least one other site has the same problem, which is
that only the DES-CBC3-SHA cipher is acceptable on the server end.

Other web browsers such as Opera and Firefox on Linux and Windows, as
well as Internet Explorer on Windows, do support this cipher and do
work.

At the moment the work-around is to use an alternate web browser -- but
to a non-technical user (where I learned about this) the problem is both
incomprehensible and a significant regression from Dapper.

I will also be adding information to the upstream bug as soon as my new
account in their BTS comes through, but I believe it is appropriate to
ask the Ubuntu team to revert this change and restore compatible
behaviour.

I note that the upstream report lists "incompatibility with some sites"
as the root cause of the problem.  A more correct fix is probably to
demote the cipher set down to the very end of the SSL/TLS list provided
the server, ensuring that it is negotiated if and only if no other
cipher is acceptable to the server.

That should provide maximum bug-compatibility without compromising
usability.

Regards, Daniel.

** Affects: kdelibs (Ubuntu)
     Importance: Undecided
         Status: Unconfirmed

-- 
Disabling DES-CBC3-SHA makes access to some SSL secured websites fail.
https://launchpad.net/bugs/70866