Description of problem: /etc/crypto-policies/back-ends/openssl.config contains !3DES excluding 3des as a valid openssl cipher. This breaks firefox an sites only accepting 3des. There are quite a few of them out there. maybe it's a bit too hard to drop 3des. using s_client you can add the cipher again using -cipher 3des firefox has no such option. Version-Release number of selected component (if applicable): Fedora 28 beta How reproducible: openssl s_client -connect www.sonnenertrag.eu:443 -debug or use firefox to access the site. firefox doesn't link dynamically against libssl, but it has the same problem. I assume libssl is linked static Steps to Reproduce: 1. try openssl s_client 2. try firefox Actual results: firefox cannot access legacy web sites Expected results: firefox should be able to access legacy sites Additional info: chromium-browser doesn't have the problem. it uses gnutls
The crypto-policies determine which ciphersuites are enabled nowadays. Not just for OpenSSL, but for NSS (which is what Firefox uses) and GnuTLS. Chromium does not use gnutls, it uses Google's own OpenSSL fork (BoringSSL), that's why it does not follow crypto-policies. The 3DES is seriously weakened by the latest attacks due to it being just 64bit block size cipher if you transfer large amounts of data with the same key. As TLS does not provide automatic rekeying it is susceptible to this weakness. That's the reason why we try to deprecate 3DES. You can switch the crypto policy to LEGACY if you need to overcome this deprecation. Run as root: update-crypto-policies --set LEGACY