Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#462 closed defect (wontfix)

Server: OpenSSL Safari Workaround (SSL_OP_SAFARI_ECDHE_ECDSA_BUG)

Reported by: Jeffrey Walton Owned by:
Priority: minor Milestone:
Component: nginx-core Version:
Keywords: openssl safari SSL_OP_SAFARI_ECDHE_ECDSA_BUG server Cc:
uname -a: $ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64
nginx -V: $ objs/nginx -V
nginx version: nginx/1.4.4
configure arguments:


It appears there is an opportunity for improvement in the server for Safari clients when using OpenSSL. From ngx_event_openssl.c, around line 185:

    /* server side options */

    SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
    SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);

It might be helpful to add SSL_OP_SAFARI_ECDHE_ECDSA_BUG:

    # define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000400L 

     SSL_CTX_set_options(ssl->ctx, SSL_OP_SAFARI_ECDHE_ECDSA_BUG);

SSL_OP_SAFARI_ECDHE_ECDSA_BUG was a recent check-in.

Change History (2)

comment:1 by Maxim Dounin, 11 years ago

Resolution: wontfix
Status: newclosed

It's not yet available in any released version of the OpenSSL, and already obsolete by several OS X releases with the problem fixed. See to get the idea of market share of affected versions, it's already below 1% of OS X installations. That is, even now applying the workaround doesn't really make sense.

Moreover, the workaround applied seems to affect versions without the problem, according to the comments in the OpenSSL code:

 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
 * 10.8..10.8.3 (which don't work).

Given the above, setting the option will likely cause more harm than good.

comment:2 by Jeffrey Walton, 11 years ago

Given the above, setting the option will likely cause more harm than good.

Apple has already done that with their broken implementation. ;)

Note: See TracTickets for help on using tickets.