SSL OP SAFARI ECDHE ECDSA BUG

From OpenSSLWiki
Jump to navigationJump to search

SSL_OP_SAFARI_ECDHE_ECDSA_BUG is an Apple bug where Safari fails to negotiate ECDHE-ECDSA ciphers as advertised. The bug is present in OS X 10.8 through 10.8.3, and was allegedly fixed in OS X 10.8.4. Apple did not provide a hotfix or apply the fix to the affected versions of its SecureTransport, so 10.8 through 10.8.3 will remain broken.

SSL_OP_SAFARI_ECDHE_ECDSA_BUG is a context option for OpenSSL greater than 1.0.1e, greater than 0.9.8y, 1.0.2, and 1.1.0. For updated versions of OpenSSL, the option is included in SSL_OP_ALL. Existing application compiled using the previous value of SSL_OP_ALL will need to be recompiled.

The patch was discussed at Apple are, apparently, dicks..., and provided by Adam Langley and Rob Stradling.

OpenSSL Patch[edit]

The Apple bug patch is available at [openssl.org #3068] [PATCH] Safari broken ECDHE-ECDSA workaround. The patch attempts to fingerprint Apple Safari clients based on elliptic_curves, ec_point_formats and signature_algorithms. If a match is made, then is_probably_safari is set in the SSL* context. The server will later disable ECDHE-ECDSA ciphers on the context (algorithm types SSL_kEECDH and SSL_aECDSA).

Its not possible to differentiate between broken and non-broken implementations, so the fix is applied to all Apple Safari clients. It will also apply to non-Apple clients *if* they use the same extension blocks as Apple clients.

Manual Workaround (OpenSSL)[edit]

According to Rob Stradling at Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG, the following cipher_list work around should be possible for those who would (1) like a fix before OpenSSL releases its next stable versions, or (2) don't want to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG. SSL_OP_CIPHER_SERVER_PREFERENCE is probably a necessary option to ensure the server's cipher list preferences are used.

1. Ensure that these four ciphers are all disabled on your server (since these are the only ciphers that are affected by the Safari/OSX bug):

* ECDHE-ECDSA-AES256-SHA
* ECDHE-ECDSA-AES128-SHA
* ECDHE-ECDSA-RC4-SHA
* ECDHE-ECDSA-DES-CBC3-SHA

2. If you want to enable one or more of those four ECDHE-ECDSA ciphers, then ensure that your server prefers at least one of the following ciphers (that Safari/OSX also offers) ahead of them:

* ECDH-RSA-AES128-SHA
* ECDH-RSA-AES256-SHA
* ECDH-RSA-RC4-SHA
* ECDH-RSA-DES-CBC3-SHA
* ECDHE-RSA-AES256-SHA
* ECDHE-RSA-AES128-SHA
* ECDHE-RSA-RC4-SHA
* ECDHE-RSA-DES-CBC3-SHA
* AES128-SHA
* AES256-SHA
* DES-CBC3-SHA
* DHE-RSA-AES128-SHA
* DHE-RSA-AES256-SHA
* EDH-RSA-DES-CBC3-SHA

The broken versions of Safari/OSX don't support GCM (or DSS), so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.

Note: be wary of RC4 because it has serious vulnerabilities when used in TLS. See AlFardan, Bernstein (et al), On the Security of RC4 in TLS and WPA.

Manual Workaround (Apple)[edit]

For Apple-based, non-Safari applications, it appears an application level work around is available. According to Mac OS X's SecureTransport and iOS's SecureTransport, users of the broken SecureTransport should be able to call SSLSetEnabledCiphers to remove the ECDHE-ECDSA-* ciphers from the list.