Description of problem:
contains !3DES excluding 3des as a valid openssl cipher. This breaks
firefox an sites only accepting 3des. There are quite a few of them
maybe it's a bit too hard to drop 3des.
using s_client you can add the cipher again using -cipher 3des
firefox has no such option.
Version-Release number of selected component (if applicable):
Fedora 28 beta
openssl s_client -connect www.sonnenertrag.eu:443 -debug
or use firefox to access the site. firefox doesn't link
dynamically against libssl, but it has the same problem.
I assume libssl is linked static
Steps to Reproduce:
1. try openssl s_client
2. try firefox
firefox cannot access legacy web sites
firefox should be able to access legacy sites
chromium-browser doesn't have the problem. it uses gnutls
The crypto-policies determine which ciphersuites are enabled nowadays. Not just for OpenSSL, but for NSS (which is what Firefox uses) and GnuTLS. Chromium does not use gnutls, it uses Google's own OpenSSL fork (BoringSSL), that's why it does not follow crypto-policies.
The 3DES is seriously weakened by the latest attacks due to it being just 64bit block size cipher if you transfer large amounts of data with the same key. As TLS does not provide automatic rekeying it is susceptible to this weakness. That's the reason why we try to deprecate 3DES.
You can switch the crypto policy to LEGACY if you need to overcome this deprecation.
Run as root:
update-crypto-policies --set LEGACY