SSL OP SAFARI ECDHE ECDSA BUG

From OpenSSLWiki
Revision as of 23:44, 10 December 2013 by Matt (talk | contribs) (Spelling correction)
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

SSL_OP_SAFARI_ECDHE_ECDSA_BUG is an Apple bug where Safari fails to negotiate ECDHE-ECDSA ciphers as advertised. The bug is present in OS X 10.8 through 10.8.3, and was allegedly fixed in OS X 10.8.4. Apple did not provide a hotfix or apply the fix to the affected versions of its SecureTransport, so 10.8 through 10.8.3 will remain broken.

SSL_OP_SAFARI_ECDHE_ECDSA_BUG is a context option for OpenSSL greater than 1.0.1e, greater than 0.9.8y, 1.0.2, and 1.1.0. For updated versions of OpenSSL, the option is included in SSL_OP_ALL. Existing application compiled using the previous value of SSL_OP_ALL will need to be recompiled.

The patch was discussed at Apple are, apparently, dicks..., and provided by Adam Langley and Rob Stradling.

Manual Workaround (OpenSSL)

According to Rob Stradling at Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG, the following cipher_list work around should be possible for those who would (1) like a fix before OpenSSL releases its next stable versions, or (2) don't want to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG.

1. Ensure that these four ciphers are all disabled on your server (since these are the only ciphers that are affected by the Safari/OSX bug):

* ECDHE-ECDSA-AES256-SHA
* ECDHE-ECDSA-AES128-SHA
* ECDHE-ECDSA-RC4-SHA
* ECDHE-ECDSA-DES-CBC3-SHA

2. If you want to enable one or more of those four ECDHE-ECDSA ciphers, then ensure that your server prefers at least one of the following ciphers (that Safari/OSX also offers) ahead of them:

* ECDH-RSA-AES128-SHA
* ECDH-RSA-AES256-SHA
* ECDH-RSA-RC4-SHA
* ECDH-RSA-DES-CBC3-SHA
* ECDHE-RSA-AES256-SHA
* ECDHE-RSA-AES128-SHA
* ECDHE-RSA-RC4-SHA
* ECDHE-RSA-DES-CBC3-SHA
* AES128-SHA
* AES256-SHA
* DES-CBC3-SHA
* DHE-RSA-AES128-SHA
* DHE-RSA-AES256-SHA
* EDH-RSA-DES-CBC3-SHA

The broken versions of Safari/OSX don't support GCM (or DSS), so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.

Note: be wary of RC4 because it has serious vulnerabilities when used in TLS. See AlFardan, Bernstein (et al), On the Security of RC4 in TLS and WPA.

Manual Workaround (Apple)

For Apple-based, non-Safari applications, it appears an application level work around is available. According to Mac OS X's SecureTransport and iOS's SecureTransport, users of the broken SecureTransport should be able to call SSLSetEnabledCiphers to remove the ECDHE-ECDSA-* ciphers from the list.