Bug 225083

Summary:	kde-base/konqueror-3.5.10 can not connect to a SSL website
Product:	Gentoo Linux	Reporter:	Anton Bolshakov <anton.bugs>
Component:	Current packages	Assignee:	Gentoo KDE team <kde>
Status:	RESOLVED DUPLICATE
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	konqueror messages in a console .xsession-error file

Description Anton Bolshakov 2008-06-06 05:22:24 UTC

The web site is https://internet-banking.dbs.com.sg/

The error message:
An error occurred while loading https://internet-banking.dbs.com.sg/:
Could not connect to host internet-banking.dbs.com.sg.

I checked with guys on #gentoo and some have the same problem.
Then, I checked with guys on #kde and they don't. So I file this bug on gentoo's bugzilla first.


emerge  --info
Portage 2.1.4.4 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-tuxonice-r4 i686)
=================================================================
System uname: 2.6.24-tuxonice-r4 i686 Intel(R) Pentium(R) M processor 1.60GHz
Timestamp of tree: Tue, 03 Jun 2008 21:01:01 +0000
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.4.4-r13
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 2.0.0
sys-apps/openrc:     0.2.5
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4m -pipe -msse2 -mfpmath=sse"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=pentium4m -pipe -msse2 -mfpmath=sse"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.jaist.ac.jp/pub/Linux/Gentoo/"
LANG="en_US.utf8"
LC_ALL="en_US.utf8"
LINGUAS="en ru"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/data/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/sectools /usr/portage/local/layman/desktop-effects /usr/local/portage"
SYNC="rsync://gentoo.o0o.nu/gentoo-portage"
USE="X a52 aac acl acpi alsa bash-completion berkdb bzip2 cairo cdr cli cracklib crypt dbus dri dvd dvdr dvdread eds emboss encode evo fam ffmpeg firefox flac fortran gdbm gif gpm hal iconv ipv6 isdnlog jpeg kde kerberos ldap logitech-mouse mad midi mikmod mmx mng mp3 mpeg mudflap ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pcmcia pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection samba sdl session speex spell spl sse sse2 ssl svg tcpd theora threads tiff truetype unicode vorbis wifi win32codecs x86 xcomposite xine xml xorg xv zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en ru" LIRC_DEVICES="sir" USERLAND="GNU" VIDEO_CARDS="i810 i915 vesa radeon"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS


/etc/portage/packages.use:
kde-base/kdelibs debug
kde-base/kwin debug
kde-base/systemsettings debug
kde-base/kdialog debug
kde-base/kcontrol debug
kde-base/krunner debug
kde-base/plasma debug
kde-base/libplasma debug
kde-base/libkworkspace debug
kde-base/kscreensaver debug
kde-base/kinfocenter debug

Comment 1 Anton Bolshakov 2008-06-06 05:23:45 UTC

Created attachment 155673 [details]
konqueror messages in a console

Comment 2 Anton Bolshakov 2008-06-06 05:25:12 UTC

Created attachment 155675 [details]
.xsession-error file

So, the actual error is:

kssl: Setting real hostname: internet-banking.dbs.com.sg
kssl: KSSL connect failed - rc = 0
kssl:                    ERROR = 5

Comment 3 Anton Bolshakov 2008-06-06 06:44:52 UTC

ok, the problem is that I don't have DES-CBC3-SHA(168) under sslv3 (KDE control center -> crypto) tab. I have DES-CBC-SHA (56bit) only.
It works fine if I enable sslv2 tab with this cipher.

Looks like this is a problem of KDE and they have to review some ciphers in there.
Please correct me if I'm wrong.

Comment 4 Carsten Lohrke (RETIRED) gentoo-dev

2008-06-06 11:54:56 UTC

> It works fine if I enable sslv2 tab with this cipher.

SSLv2 means using md5 not sha1. Am I right to assume that this is the cipher you have enabled? SSLv2 is considered unsafe nowadays and all browser providers are on the verge disabling it or already have done so.


I can confirm, that Konqueror doesn't list the triple DES 168 bit SHA1 cipher, even though `openssl ciphers -v  SSLv3` does.

Comment 5 Carsten Lohrke (RETIRED) gentoo-dev

2008-06-06 11:55:25 UTC

uh, assign...

Comment 6 Anton Bolshakov 2008-06-11 03:47:23 UTC

>Am I right to assume that this is the cipher
you have enabled?
Yes, sorry for the confusion.

Just for the record, I can't connect using openssl sslv2:
openssl s_client -ssl2 -no_ssl3 -no_tls1 -showcerts -connect internet-banking.dbs.com.sg:443

I also can't connect using weak ciphers:
openssl s_client -showcerts -cipher NULL,EXPORT,LOW -connect internet-banking.dbs.com.sg:443
output: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

I'm wondering how sslv2 in konqueror's crypt tab helps in that case?..

Comment 7 Frank Hess 2008-06-26 15:12:31 UTC

(In reply to comment #4)
> SSLv2 means using md5 not sha1. Am I right to assume that this is the cipher
> you have enabled? SSLv2 is considered unsafe nowadays and all browser providers
> are on the verge disabling it or already have done so.
> 
> 
> I can confirm, that Konqueror doesn't list the triple DES 168 bit SHA1 cipher,
> even though `openssl ciphers -v  SSLv3` does.
> 

I've had a similar problem (konqueror 3.5.5 on debian) trying to access a https site (on our LAN) which really wants to use DES-CBC3-SHA cipher.  DES-CBC3-SHA doesn't show up on konq's crypto tab.  Only by disabling both sslv2 and sslv3 in konquerer's crypto tab does it start working (for some reason this lets konquerer use DES-CBC3-SHA).

Comment 8 Rick Harris 2009-05-30 10:49:13 UTC

Can you try rebuilding kde-base/kdelibs with the 'legacyssl' USE flag enabled.

You will probably also need to rebuild KDE against the newly rebuilt kdelibs.

The 'legacyssl' USE flag re-instates the missing DES-CBC3-SHA cipher which was removed by upstream around 3.5.4 (?).

Comment 9 Anton Bolshakov 2009-06-02 16:22:26 UTC

(In reply to comment #8)
Thanks for the tip Rick.
I rebuilt it as suggested but still can't find DES-CBC3-SHA under SSLv3 list
although тhe patch looks all right:
-                       if (j->name.contains("ADH-") || j->name.contains("NULL-") || j->name.
contains("DES-CBC3-SHA") || j->name.contains("FZA")) {
+                 if (j->name.contains("ADH-")) {


Anyway, the problem is clear now. Looks like this is a dup of bug #128922 ...


*** This bug has been marked as a duplicate of bug 128922 ***