Difference between revisions of "SSL OP SAFARI ECDHE ECDSA BUG"

From OpenSSLWiki
Jump to navigationJump to search
m (Spelling correction)
m (Added SSL_OP_CIPHER_SERVER_PREFERENCE.)
Line 7: Line 7:
 
== Manual Workaround (OpenSSL) ==
 
== Manual Workaround (OpenSSL) ==
  
According to Rob Stradling at [http://openssl.6102.n7.nabble.com/Questions-on-SSL-OP-SAFARI-ECDHE-ECDSA-BUG-td47614.html Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG], the following <tt>cipher_list</tt> work around should be possible for those who would (1) like a fix before OpenSSL releases its next stable versions, or (2) don't want to use <tt>SSL_OP_SAFARI_ECDHE_ECDSA_BUG</tt>.
+
According to Rob Stradling at [http://openssl.6102.n7.nabble.com/Questions-on-SSL-OP-SAFARI-ECDHE-ECDSA-BUG-td47614.html Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG], the following <tt>cipher_list</tt> work around should be possible for those who would (1) like a fix before OpenSSL releases its next stable versions, or (2) don't want to use <tt>SSL_OP_SAFARI_ECDHE_ECDSA_BUG</tt>. <tt>SSL_OP_CIPHER_SERVER_PREFERENCE</tt> is probably a necessary option to ensure the server's cipher list preferences are used.
  
 
1. Ensure that these four ciphers are all disabled on your server (since these are the only ciphers that are affected by the Safari/OSX bug):
 
1. Ensure that these four ciphers are all disabled on your server (since these are the only ciphers that are affected by the Safari/OSX bug):

Revision as of 01:40, 11 December 2013

SSL_OP_SAFARI_ECDHE_ECDSA_BUG is an Apple bug where Safari fails to negotiate ECDHE-ECDSA ciphers as advertised. The bug is present in OS X 10.8 through 10.8.3, and was allegedly fixed in OS X 10.8.4. Apple did not provide a hotfix or apply the fix to the affected versions of its SecureTransport, so 10.8 through 10.8.3 will remain broken.

SSL_OP_SAFARI_ECDHE_ECDSA_BUG is a context option for OpenSSL greater than 1.0.1e, greater than 0.9.8y, 1.0.2, and 1.1.0. For updated versions of OpenSSL, the option is included in SSL_OP_ALL. Existing application compiled using the previous value of SSL_OP_ALL will need to be recompiled.

The patch was discussed at Apple are, apparently, dicks..., and provided by Adam Langley and Rob Stradling.

Manual Workaround (OpenSSL)

According to Rob Stradling at Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG, the following cipher_list work around should be possible for those who would (1) like a fix before OpenSSL releases its next stable versions, or (2) don't want to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG. SSL_OP_CIPHER_SERVER_PREFERENCE is probably a necessary option to ensure the server's cipher list preferences are used.

1. Ensure that these four ciphers are all disabled on your server (since these are the only ciphers that are affected by the Safari/OSX bug):

* ECDHE-ECDSA-AES256-SHA
* ECDHE-ECDSA-AES128-SHA
* ECDHE-ECDSA-RC4-SHA
* ECDHE-ECDSA-DES-CBC3-SHA

2. If you want to enable one or more of those four ECDHE-ECDSA ciphers, then ensure that your server prefers at least one of the following ciphers (that Safari/OSX also offers) ahead of them:

* ECDH-RSA-AES128-SHA
* ECDH-RSA-AES256-SHA
* ECDH-RSA-RC4-SHA
* ECDH-RSA-DES-CBC3-SHA
* ECDHE-RSA-AES256-SHA
* ECDHE-RSA-AES128-SHA
* ECDHE-RSA-RC4-SHA
* ECDHE-RSA-DES-CBC3-SHA
* AES128-SHA
* AES256-SHA
* DES-CBC3-SHA
* DHE-RSA-AES128-SHA
* DHE-RSA-AES256-SHA
* EDH-RSA-DES-CBC3-SHA

The broken versions of Safari/OSX don't support GCM (or DSS), so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.

Note: be wary of RC4 because it has serious vulnerabilities when used in TLS. See AlFardan, Bernstein (et al), On the Security of RC4 in TLS and WPA.

Manual Workaround (Apple)

For Apple-based, non-Safari applications, it appears an application level work around is available. According to Mac OS X's SecureTransport and iOS's SecureTransport, users of the broken SecureTransport should be able to call SSLSetEnabledCiphers to remove the ECDHE-ECDSA-* ciphers from the list.