SSL OP SAFARI ECDHE ECDSA BUG - Revision history

Jwalton: Added info on patch

2013-12-11T02:00:21Z

Added info on patch

Jwalton: Added SSL_OP_CIPHER_SERVER_PREFERENCE.

2013-12-11T01:40:00Z

Added SSL_OP_CIPHER_SERVER_PREFERENCE.

Matt: Spelling correction

2013-12-10T23:44:30Z

Spelling correction

Jwalton: Created page with "'''`SSL_OP_SAFARI_ECDHE_ECDSA_BUG`''' is an Apple bug where Safari fails to negotiate `ECDHE-ECDSA` ciphers as advertised. The bug is present in OS X 10.8 through 1…"

2013-12-10T23:37:33Z

Created page with "'''<tt>SSL_OP_SAFARI_ECDHE_ECDSA_BUG</tt>''' is an Apple bug where Safari fails to negotiate <tt>ECDHE-ECDSA</tt> ciphers as advertised. The bug is present in OS X 10.8 through 1…"

New page

'''<tt>SSL_OP_SAFARI_ECDHE_ECDSA_BUG</tt>''' is an Apple bug where Safari fails to negotiate <tt>ECDHE-ECDSA</tt> ciphers as advertised. The bug is present in OS X 10.8 through 10.8.3, and was allegedly fixed in OS X 10.8.4. Apple did not provide a hotfix or apply the fix to the affected versions of its <tt>SecureTransport</tt>, so 10.8 through 10.8.3 will remain broken.

<tt>SSL_OP_SAFARI_ECDHE_ECDSA_BUG</tt> is a context option for OpenSSL ''greater than'' 1.0.1e, ''greater than'' 0.9.8y, 1.0.2, and 1.1.0. For updated versions of OpenSSL, the option is included in <tt>SSL_OP_ALL</tt>. Existing application compiled using the previous value of <tt>SSL_OP_ALL</tt> will need to be recompiled.

The patch was discussed at [http://www.mail-archive.com/openssl-dev@openssl.org/msg32629.html Apple are, apparently, dicks...], and provided by Adam Langley and Rob Stradling.

== Manual Workaround (OpenSSL) ==

According to Rob Stradling at [http://openssl.6102.n7.nabble.com/Questions-on-SSL-OP-SAFARI-ECDHE-ECDSA-BUG-td47614.html Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG], the following <tt>cipher_list</tt> work around should be possible for those who would (1) like a fix before OpenSSL releases its next stable versions, or (2) don't want to use <tt>SSL_OP_SAFARI_ECDHE_ECDSA_BUG</tt>.

1. Ensure that these four ciphers are all disabled on your server (since these are the only ciphers that are affected by the Safari/OSX bug):
* ECDHE-ECDSA-AES256-SHA
* ECDHE-ECDSA-AES128-SHA
* ECDHE-ECDSA-RC4-SHA
* ECDHE-ECDSA-DES-CBC3-SHA

2. If you want to enable one or more of those four ECDHE-ECDSA ciphers, then ensure that your server prefers at least one of the following ciphers (that Safari/OSX also offers) ahead of them:

* ECDH-RSA-AES128-SHA
* ECDH-RSA-AES256-SHA
* ECDH-RSA-RC4-SHA
* ECDH-RSA-DES-CBC3-SHA
* ECDHE-RSA-AES256-SHA
* ECDHE-RSA-AES128-SHA
* ECDHE-RSA-RC4-SHA
* ECDHE-RSA-DES-CBC3-SHA
* AES128-SHA
* AES256-SHA
* DES-CBC3-SHA
* DHE-RSA-AES128-SHA
* DHE-RSA-AES256-SHA
* EDH-RSA-DES-CBC3-SHA

The broken versions of Safari/OSX don't support GCM (or DSS), so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.

''Note:'' be weary of RC4 because it has serious vulnerabilities when used in TLS. See AlFardan, Bernstein (et al), [http://cr.yp.to/streamciphers/rc4biases-20130708.pdf On the Security of RC4 in TLS and WPA].

== Manual Workaround (Apple) ==

For Apple-based, non-Safari applications, it appears an application level work around is available. According to Mac OS X's [https://developer.apple.com/library/ios/documentation/security/Reference/secureTransportRef/Reference/reference.html SecureTransport] and iOS's [https://developer.apple.com/library/ios/documentation/security/Reference/secureTransportRef/Reference/reference.html SecureTransport], users of the broken <tt>SecureTransport</tt> should be able to call <tt>SSLSetEnabledCiphers</tt> to remove the <tt>ECDHE-ECDSA-*</tt> ciphers from the list.

← Older revision		Revision as of 02:00, 11 December 2013
Line 4:		Line 4:

	The patch was discussed at [http://www.mail-archive.com/openssl-dev@openssl.org/msg32629.html Apple are, apparently, dicks...], and provided by Adam Langley and Rob Stradling.		The patch was discussed at [http://www.mail-archive.com/openssl-dev@openssl.org/msg32629.html Apple are, apparently, dicks...], and provided by Adam Langley and Rob Stradling.
		+
		+	== OpenSSL Patch ==
		+
		+	The Apple bug patch is available at [http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html <nowiki>[openssl.org #3068] [PATCH] Safari broken ECDHE-ECDSA workaround</nowiki>]. The patch attempts to fingerprint Apple Safari clients based on <tt>elliptic_curves</tt>, <tt>ec_point_formats</tt> and <tt>signature_algorithms</tt>. If a match is made, then <tt>is_probably_safari</tt> is set in the <tt>SSL*</tt> context. The server will later disable ECDHE-ECDSA ciphers on the context (algorithm types <tt>SSL_kEECDH</tt> and <tt>SSL_aECDSA</tt>).
		+
		+	Its not possible to differentiate between broken and non-broken implementations, so the fix is applied to all Apple Safari clients. It will also apply to non-Apple clients if they use the same extension blocks as Apple clients.

	== Manual Workaround (OpenSSL) ==		== Manual Workaround (OpenSSL) ==

@@ Line 7: / Line 7: @@
 == Manual Workaround (OpenSSL) ==
-According to Rob Stradling at [http://openssl.6102.n7.nabble.com/Questions-on-SSL-OP-SAFARI-ECDHE-ECDSA-BUG-td47614.html Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG], the following <tt>cipher_list</tt> work around should be possible for those who would (1) like a fix before OpenSSL releases its next stable versions, or (2) don't want to use <tt>SSL_OP_SAFARI_ECDHE_ECDSA_BUG</tt>.
+According to Rob Stradling at [http://openssl.6102.n7.nabble.com/Questions-on-SSL-OP-SAFARI-ECDHE-ECDSA-BUG-td47614.html Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG], the following <tt>cipher_list</tt> work around should be possible for those who would (1) like a fix before OpenSSL releases its next stable versions, or (2) don't want to use <tt>SSL_OP_SAFARI_ECDHE_ECDSA_BUG</tt>. <tt>SSL_OP_CIPHER_SERVER_PREFERENCE</tt> is probably a necessary option to ensure the server's cipher list preferences are used.
 . Ensure that these four ciphers are all disabled on your server (since these are the only ciphers that are affected by the Safari/OSX bug):

@@ Line 34: / Line 34: @@
 The broken versions of Safari/OSX don't support GCM (or DSS), so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.
-''Note:'' be weary of RC4 because it has serious vulnerabilities when used in TLS. See AlFardan, Bernstein (et al), [http://cr.yp.to/streamciphers/rc4biases-20130708.pdf On the Security of RC4 in TLS and WPA].
+''Note:'' be wary of RC4 because it has serious vulnerabilities when used in TLS. See AlFardan, Bernstein (et al), [http://cr.yp.to/streamciphers/rc4biases-20130708.pdf On the Security of RC4 in TLS and WPA].
 == Manual Workaround (Apple) ==
 For Apple-based, non-Safari applications, it appears an application level work around is available. According to Mac OS X's [https://developer.apple.com/library/ios/documentation/security/Reference/secureTransportRef/Reference/reference.html SecureTransport] and iOS's [https://developer.apple.com/library/ios/documentation/security/Reference/secureTransportRef/Reference/reference.html SecureTransport], users of the broken <tt>SecureTransport</tt> should be able to call <tt>SSLSetEnabledCiphers</tt> to remove the <tt>ECDHE-ECDSA-*</tt> ciphers from the list.

SSL OP SAFARI ECDHE ECDSA BUG - Revision history

Jwalton: Added info on patch

Jwalton: Added SSL_OP_CIPHER_SERVER_PREFERENCE.

Matt: Spelling correction

Jwalton: Created page with "'''SSL_OP_SAFARI_ECDHE_ECDSA_BUG''' is an Apple bug where Safari fails to negotiate ECDHE-ECDSA ciphers as advertised. The bug is present in OS X 10.8 through 1…"

Jwalton: Created page with "'''`SSL_OP_SAFARI_ECDHE_ECDSA_BUG`''' is an Apple bug where Safari fails to negotiate `ECDHE-ECDSA` ciphers as advertised. The bug is present in OS X 10.8 through 1…"