Re: Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG

Wed, 11 Dec 2013 08:12:33 -0800 

On Tue, Dec 10, 2013 at 7:06 AM, Rob Stradling <rob.stradl...@comodo.com> wrote:
> On 09/12/13 23:34, Jeffrey Walton wrote:
>>
>> Reference:
>> http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html
>> and
>> http://openssl.6102.n7.nabble.com/Apple-are-apparently-dicks-td45512.html.
>>
>> ...
>> If I can't wait for the patch in future stable releases (or don't want
>> to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG), what are the other options? Can
>> I use a cipher_list to work around this? For example, can I prefer RSA
>> and DSS ciphers over ECDSA:
>>
>>    const char* const PREFERRED_CIPHERS =
>>
>>      /* TLS 1.2 only */
>>      "ECDHE-RSA-AES256-GCM-SHA384:"
>>      "ECDHE-RSA-AES128-GCM-SHA256:"
>>
>>      /* TLS 1.2 only */
>>      "DHE-DSS-AES256-GCM-SHA384:"
>>      "DHE-RSA-AES256-GCM-SHA384:"
>>      "DHE-DSS-AES128-GCM-SHA256:"
>>      "DHE-RSA-AES128-GCM-SHA256:"
>>
>>      /* TLS 1.2, see SSL_OP_SAFARI_ECDHE_ECDSA_BUG */
>>      "ECDHE-ECDSA-AES256-GCM-SHA384:"
>>      "ECDHE-ECDSA-AES128-GCM-SHA256:"
>
>
> The broken versions of Safari/OSX don't support GCM (or DSS, I think), so
> enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and
> ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.
>
> If you can't wait for the patch, or don't want to use it, here are two
> workarounds that I think should work...
>
> 1. Ensure that these 4 ciphers are all disabled on your server (since these
> are the only ciphers that are affected by the Safari/OSX bug):
> ECDHE-ECDSA-AES256-SHA
> ECDHE-ECDSA-AES128-SHA
> ECDHE-ECDSA-RC4-SHA
> ECDHE-ECDSA-DES-CBC3-SHA
>
> or
>
> 2. If you want to enable 1 or more of those 4 ECDHE-ECDSA ciphers, ensure
> that your server prefers at least 1 of the following ciphers (that
> Safari/OSX also offers) ahead of them:
> ECDH-RSA-AES128-SHA
> ECDH-RSA-AES256-SHA
> ECDH-RSA-RC4-SHA
> ECDH-RSA-DES-CBC3-SHA
> ECDHE-RSA-AES256-SHA
> ECDHE-RSA-AES128-SHA
> ECDHE-RSA-RC4-SHA
> ECDHE-RSA-DES-CBC3-SHA
> AES128-SHA
> RC4-SHA
> RC4-MD5
> AES256-SHA
> DES-CBC3-SHA
> DHE-RSA-AES128-SHA
> DHE-RSA-AES256-SHA
> EDH-RSA-DES-CBC3-SHA
>
> (Obviously you'll need 2 server certificates, one with an RSA key and one
> with an ECC key).

Perfect, thanks.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to