Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#462 closed defect (wontfix)

Server: OpenSSL Safari Workaround (SSL_OP_SAFARI_ECDHE_ECDSA_BUG)

Reported by: Jeffrey Walton Owned by:
Priority: minor Milestone:
Component: nginx-core Version:
Keywords: openssl safari SSL_OP_SAFARI_ECDHE_ECDSA_BUG server Cc:
uname -a: $ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64
nginx -V: $ objs/nginx -V
nginx version: nginx/1.4.4
configure arguments:

Description

It appears there is an opportunity for improvement in the server for Safari clients when using OpenSSL. From ngx_event_openssl.c, around line 185:

    /* server side options */

    SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
    SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
    ...

It might be helpful to add SSL_OP_SAFARI_ECDHE_ECDSA_BUG:

    #if !defined(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
    # define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000400L 
    #endif

     SSL_CTX_set_options(ssl->ctx, SSL_OP_SAFARI_ECDHE_ECDSA_BUG);

SSL_OP_SAFARI_ECDHE_ECDSA_BUG was a recent check-in. http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html.

Change History (2)

comment:1 by Maxim Dounin, 7 years ago

Resolution: wontfix
Status: newclosed

It's not yet available in any released version of the OpenSSL, and already obsolete by several OS X releases with the problem fixed. See https://www.adium.im/sparkle/ to get the idea of market share of affected versions, it's already below 1% of OS X installations. That is, even now applying the workaround doesn't really make sense.

Moreover, the workaround applied seems to affect versions without the problem, according to the comments in the OpenSSL code:

 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
 * 10.8..10.8.3 (which don't work).

Given the above, setting the option will likely cause more harm than good.

comment:2 by Jeffrey Walton, 7 years ago

Given the above, setting the option will likely cause more harm than good.

Apple has already done that with their broken implementation. ;)

Note: See TracTickets for help on using tickets.