oss-sec mailing list archives

CVE Request?: konqueror - https uses all ciphers, even weak ones

From: Marcus Meissner <meissner () suse de>
Date: Thu, 27 Feb 2014 18:30:54 +0100

Hi,

I am wondering a bit ...

We received this bugreport for the KDE default webbrowser Konqueror:
https://bugzilla.novell.com/show_bug.cgi?id=865241

Basically https://www.howsmyssl.com reports that even the weak
EXPORT ciphera are in use by konqueror.

And yes, it is right...
DES40, RC2, DES_CBC  (single DES) ... should definitely not be used these days anymore.


Do you think use of export ciphers should get CVEs these days?

It does not seem intentional, konqueror just uses everything openssl has without
explicit filtering by default.

I also failed to find a module to configure the ciphers in the KDE configuration
module jungle.

Ciao, Marcus

Current thread:

CVE Request?: konqueror - https uses all ciphers, even weak ones Marcus Meissner (Feb 27)
- Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Tim Brown (Mar 03)
  - Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Kurt Seifried (Mar 03)
    - Re: CVE Request?: konqueror - https uses all ciphers, even weak ones cve-assign (Mar 03)
    - Re: Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
    - Re: CVE Request?: konqueror - https uses all ciphers, even weak ones John Haxby (Mar 04)
    - Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
    - Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
    - Re: CVE Request?: konqueror - https uses all ciphers, even weak ones John Haxby (Mar 04)
    - Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Daniel Kahn Gillmor (Mar 04)
    - Re: CVE Request?: konqueror - https uses all ciphers, even weak ones Jann Horn (Mar 04)

(Thread continues...)