Difference between revisions of "SSL OP SAFARI ECDHE ECDSA BUG"

From OpenSSLWiki
Jump to navigationJump to search
(Created page with "'''<tt>SSL_OP_SAFARI_ECDHE_ECDSA_BUG</tt>''' is an Apple bug where Safari fails to negotiate <tt>ECDHE-ECDSA</tt> ciphers as advertised. The bug is present in OS X 10.8 through 1…")
 
m (Spelling correction)
Line 34: Line 34:
 
The broken versions of Safari/OSX don't support GCM (or DSS), so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.
 
The broken versions of Safari/OSX don't support GCM (or DSS), so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.
  
''Note:'' be weary of RC4 because it has serious vulnerabilities when used in TLS. See AlFardan, Bernstein (et al), [http://cr.yp.to/streamciphers/rc4biases-20130708.pdf On the Security of RC4 in TLS and WPA].
+
''Note:'' be wary of RC4 because it has serious vulnerabilities when used in TLS. See AlFardan, Bernstein (et al), [http://cr.yp.to/streamciphers/rc4biases-20130708.pdf On the Security of RC4 in TLS and WPA].
  
 
== Manual Workaround (Apple) ==
 
== Manual Workaround (Apple) ==
  
 
For Apple-based, non-Safari applications, it appears an application level work around is available. According to Mac OS X's [https://developer.apple.com/library/ios/documentation/security/Reference/secureTransportRef/Reference/reference.html SecureTransport] and iOS's [https://developer.apple.com/library/ios/documentation/security/Reference/secureTransportRef/Reference/reference.html SecureTransport], users of the broken <tt>SecureTransport</tt> should be able to call <tt>SSLSetEnabledCiphers</tt> to remove the <tt>ECDHE-ECDSA-*</tt> ciphers from the list.
 
For Apple-based, non-Safari applications, it appears an application level work around is available. According to Mac OS X's [https://developer.apple.com/library/ios/documentation/security/Reference/secureTransportRef/Reference/reference.html SecureTransport] and iOS's [https://developer.apple.com/library/ios/documentation/security/Reference/secureTransportRef/Reference/reference.html SecureTransport], users of the broken <tt>SecureTransport</tt> should be able to call <tt>SSLSetEnabledCiphers</tt> to remove the <tt>ECDHE-ECDSA-*</tt> ciphers from the list.

Revision as of 23:44, 10 December 2013

SSL_OP_SAFARI_ECDHE_ECDSA_BUG is an Apple bug where Safari fails to negotiate ECDHE-ECDSA ciphers as advertised. The bug is present in OS X 10.8 through 10.8.3, and was allegedly fixed in OS X 10.8.4. Apple did not provide a hotfix or apply the fix to the affected versions of its SecureTransport, so 10.8 through 10.8.3 will remain broken.

SSL_OP_SAFARI_ECDHE_ECDSA_BUG is a context option for OpenSSL greater than 1.0.1e, greater than 0.9.8y, 1.0.2, and 1.1.0. For updated versions of OpenSSL, the option is included in SSL_OP_ALL. Existing application compiled using the previous value of SSL_OP_ALL will need to be recompiled.

The patch was discussed at Apple are, apparently, dicks..., and provided by Adam Langley and Rob Stradling.

Manual Workaround (OpenSSL)

According to Rob Stradling at Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG, the following cipher_list work around should be possible for those who would (1) like a fix before OpenSSL releases its next stable versions, or (2) don't want to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG.

1. Ensure that these four ciphers are all disabled on your server (since these are the only ciphers that are affected by the Safari/OSX bug):

* ECDHE-ECDSA-AES256-SHA
* ECDHE-ECDSA-AES128-SHA
* ECDHE-ECDSA-RC4-SHA
* ECDHE-ECDSA-DES-CBC3-SHA

2. If you want to enable one or more of those four ECDHE-ECDSA ciphers, then ensure that your server prefers at least one of the following ciphers (that Safari/OSX also offers) ahead of them:

* ECDH-RSA-AES128-SHA
* ECDH-RSA-AES256-SHA
* ECDH-RSA-RC4-SHA
* ECDH-RSA-DES-CBC3-SHA
* ECDHE-RSA-AES256-SHA
* ECDHE-RSA-AES128-SHA
* ECDHE-RSA-RC4-SHA
* ECDHE-RSA-DES-CBC3-SHA
* AES128-SHA
* AES256-SHA
* DES-CBC3-SHA
* DHE-RSA-AES128-SHA
* DHE-RSA-AES256-SHA
* EDH-RSA-DES-CBC3-SHA

The broken versions of Safari/OSX don't support GCM (or DSS), so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.

Note: be wary of RC4 because it has serious vulnerabilities when used in TLS. See AlFardan, Bernstein (et al), On the Security of RC4 in TLS and WPA.

Manual Workaround (Apple)

For Apple-based, non-Safari applications, it appears an application level work around is available. According to Mac OS X's SecureTransport and iOS's SecureTransport, users of the broken SecureTransport should be able to call SSLSetEnabledCiphers to remove the ECDHE-ECDSA-* ciphers from the list.