I found out a little more about a problem that’s been really annoying me for ages: I can’t access my bank’s Internet banking using Konqueror. When I hit the button, Konqueror proclaims that it “Could not connect to host”, but if I right-click on the “Login” link and choose “Open with Firefox Web Browser…” it works fine.
I broke out Wireshark and did a capture. DNS request and response normal, TCP three-way handshake fine, SSL Client Hello… Hmm, TLS handshake failure. Strange. I traced a Firefox connection, and (obviously) after the SSL Client Hello there is a Server Hello in response, and the connection establishes okay.
What I found is that the cipher suites presented by Konqueror and Firefox differ: Firefox offers a couple that Konqueror doesn’t, and vice-versa. More importantly, the one that is presented in the Server Hello on the Firefox connection is labelled by Wireshark as “Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)” and is one of the ones missing from Konqueror’s Client Hello.
So there are two issues here. Firstly, Konqueror is missing some TLS cipher suites (or at least Ubuntu’s build of Konqueror is). Secondly, Konqueror’s reporting of the problem is not helpful — stating it was a “security negotiation failure” would be a lot more helpful than just saying “could not connect”.
/me goes looking for KDE’s bug reporting system…
Crossed Wires 