Difference between revisions of "SSL OP SAFARI ECDHE ECDSA BUG"

From OpenSSLWiki
Jump to: navigation, search
(Created page with "'''<tt>SSL_OP_SAFARI_ECDHE_ECDSA_BUG</tt>''' is an Apple bug where Safari fails to negotiate <tt>ECDHE-ECDSA</tt> ciphers as advertised. The bug is present in OS X 10.8 through 1…")
 
m (Added info on patch)
 
(2 intermediate revisions by 2 users not shown)
Line 4: Line 4:
  
 
The patch was discussed at [http://www.mail-archive.com/openssl-dev@openssl.org/msg32629.html Apple are, apparently, dicks...], and provided by Adam Langley and Rob Stradling.
 
The patch was discussed at [http://www.mail-archive.com/openssl-dev@openssl.org/msg32629.html Apple are, apparently, dicks...], and provided by Adam Langley and Rob Stradling.
 +
 +
== OpenSSL Patch ==
 +
 +
The Apple bug patch is available at [http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html <nowiki>[openssl.org #3068] [PATCH] Safari broken ECDHE-ECDSA workaround</nowiki>]. The patch attempts to fingerprint Apple Safari clients based on <tt>elliptic_curves</tt>, <tt>ec_point_formats</tt> and <tt>signature_algorithms</tt>. If a match is made, then <tt>is_probably_safari</tt> is set in the <tt>SSL*</tt> context. The server will later disable ECDHE-ECDSA ciphers on the context (algorithm types <tt>SSL_kEECDH</tt> and <tt>SSL_aECDSA</tt>).
 +
 +
Its not possible to differentiate between broken and non-broken implementations, so the fix is applied to all Apple Safari clients. It will also apply to non-Apple clients *if* they use the same extension blocks as Apple clients.
  
 
== Manual Workaround (OpenSSL) ==
 
== Manual Workaround (OpenSSL) ==
  
According to Rob Stradling at [http://openssl.6102.n7.nabble.com/Questions-on-SSL-OP-SAFARI-ECDHE-ECDSA-BUG-td47614.html Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG], the following <tt>cipher_list</tt> work around should be possible for those who would (1) like a fix before OpenSSL releases its next stable versions, or (2) don't want to use <tt>SSL_OP_SAFARI_ECDHE_ECDSA_BUG</tt>.
+
According to Rob Stradling at [http://openssl.6102.n7.nabble.com/Questions-on-SSL-OP-SAFARI-ECDHE-ECDSA-BUG-td47614.html Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG], the following <tt>cipher_list</tt> work around should be possible for those who would (1) like a fix before OpenSSL releases its next stable versions, or (2) don't want to use <tt>SSL_OP_SAFARI_ECDHE_ECDSA_BUG</tt>. <tt>SSL_OP_CIPHER_SERVER_PREFERENCE</tt> is probably a necessary option to ensure the server's cipher list preferences are used.
  
 
1. Ensure that these four ciphers are all disabled on your server (since these are the only ciphers that are affected by the Safari/OSX bug):
 
1. Ensure that these four ciphers are all disabled on your server (since these are the only ciphers that are affected by the Safari/OSX bug):
Line 34: Line 40:
 
The broken versions of Safari/OSX don't support GCM (or DSS), so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.
 
The broken versions of Safari/OSX don't support GCM (or DSS), so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.
  
''Note:'' be weary of RC4 because it has serious vulnerabilities when used in TLS. See AlFardan, Bernstein (et al), [http://cr.yp.to/streamciphers/rc4biases-20130708.pdf On the Security of RC4 in TLS and WPA].
+
''Note:'' be wary of RC4 because it has serious vulnerabilities when used in TLS. See AlFardan, Bernstein (et al), [http://cr.yp.to/streamciphers/rc4biases-20130708.pdf On the Security of RC4 in TLS and WPA].
  
 
== Manual Workaround (Apple) ==
 
== Manual Workaround (Apple) ==
  
 
For Apple-based, non-Safari applications, it appears an application level work around is available. According to Mac OS X's [https://developer.apple.com/library/ios/documentation/security/Reference/secureTransportRef/Reference/reference.html SecureTransport] and iOS's [https://developer.apple.com/library/ios/documentation/security/Reference/secureTransportRef/Reference/reference.html SecureTransport], users of the broken <tt>SecureTransport</tt> should be able to call <tt>SSLSetEnabledCiphers</tt> to remove the <tt>ECDHE-ECDSA-*</tt> ciphers from the list.
 
For Apple-based, non-Safari applications, it appears an application level work around is available. According to Mac OS X's [https://developer.apple.com/library/ios/documentation/security/Reference/secureTransportRef/Reference/reference.html SecureTransport] and iOS's [https://developer.apple.com/library/ios/documentation/security/Reference/secureTransportRef/Reference/reference.html SecureTransport], users of the broken <tt>SecureTransport</tt> should be able to call <tt>SSLSetEnabledCiphers</tt> to remove the <tt>ECDHE-ECDSA-*</tt> ciphers from the list.

Latest revision as of 02:00, 11 December 2013

SSL_OP_SAFARI_ECDHE_ECDSA_BUG is an Apple bug where Safari fails to negotiate ECDHE-ECDSA ciphers as advertised. The bug is present in OS X 10.8 through 10.8.3, and was allegedly fixed in OS X 10.8.4. Apple did not provide a hotfix or apply the fix to the affected versions of its SecureTransport, so 10.8 through 10.8.3 will remain broken.

SSL_OP_SAFARI_ECDHE_ECDSA_BUG is a context option for OpenSSL greater than 1.0.1e, greater than 0.9.8y, 1.0.2, and 1.1.0. For updated versions of OpenSSL, the option is included in SSL_OP_ALL. Existing application compiled using the previous value of SSL_OP_ALL will need to be recompiled.

The patch was discussed at Apple are, apparently, dicks..., and provided by Adam Langley and Rob Stradling.

OpenSSL Patch[edit]

The Apple bug patch is available at [openssl.org #3068] [PATCH] Safari broken ECDHE-ECDSA workaround. The patch attempts to fingerprint Apple Safari clients based on elliptic_curves, ec_point_formats and signature_algorithms. If a match is made, then is_probably_safari is set in the SSL* context. The server will later disable ECDHE-ECDSA ciphers on the context (algorithm types SSL_kEECDH and SSL_aECDSA).

Its not possible to differentiate between broken and non-broken implementations, so the fix is applied to all Apple Safari clients. It will also apply to non-Apple clients *if* they use the same extension blocks as Apple clients.

Manual Workaround (OpenSSL)[edit]

According to Rob Stradling at Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG, the following cipher_list work around should be possible for those who would (1) like a fix before OpenSSL releases its next stable versions, or (2) don't want to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG. SSL_OP_CIPHER_SERVER_PREFERENCE is probably a necessary option to ensure the server's cipher list preferences are used.

1. Ensure that these four ciphers are all disabled on your server (since these are the only ciphers that are affected by the Safari/OSX bug):

* ECDHE-ECDSA-AES256-SHA
* ECDHE-ECDSA-AES128-SHA
* ECDHE-ECDSA-RC4-SHA
* ECDHE-ECDSA-DES-CBC3-SHA

2. If you want to enable one or more of those four ECDHE-ECDSA ciphers, then ensure that your server prefers at least one of the following ciphers (that Safari/OSX also offers) ahead of them:

* ECDH-RSA-AES128-SHA
* ECDH-RSA-AES256-SHA
* ECDH-RSA-RC4-SHA
* ECDH-RSA-DES-CBC3-SHA
* ECDHE-RSA-AES256-SHA
* ECDHE-RSA-AES128-SHA
* ECDHE-RSA-RC4-SHA
* ECDHE-RSA-DES-CBC3-SHA
* AES128-SHA
* AES256-SHA
* DES-CBC3-SHA
* DHE-RSA-AES128-SHA
* DHE-RSA-AES256-SHA
* EDH-RSA-DES-CBC3-SHA

The broken versions of Safari/OSX don't support GCM (or DSS), so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.

Note: be wary of RC4 because it has serious vulnerabilities when used in TLS. See AlFardan, Bernstein (et al), On the Security of RC4 in TLS and WPA.

Manual Workaround (Apple)[edit]

For Apple-based, non-Safari applications, it appears an application level work around is available. According to Mac OS X's SecureTransport and iOS's SecureTransport, users of the broken SecureTransport should be able to call SSLSetEnabledCiphers to remove the ECDHE-ECDSA-* ciphers from the list.