Server: OpenSSL Safari Workaround (SSL_OP_SAFARI_ECDHE_ECDSA_BUG)

[Jeffrey Walton]

It appears there is an opportunity for improvement in the server for Safari clients when using OpenSSL. From ngx_event_openssl.c, around line 185:

    /* server side options */

    SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
    SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
    ...

It might be helpful to add SSL_OP_SAFARI_ECDHE_ECDSA_BUG:

    #if !defined(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
    # define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000400L 
    #endif

     SSL_CTX_set_options(ssl->ctx, SSL_OP_SAFARI_ECDHE_ECDSA_BUG);

SSL_OP_SAFARI_ECDHE_ECDSA_BUG was a recent check-in. ​http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html.

[Maxim Dounin]

It's not yet available in any released version of the OpenSSL, and already obsolete by several OS X releases with the problem fixed. See ​https://www.adium.im/sparkle/ to get the idea of market share of affected versions, it's already below 1% of OS X installations. That is, even now applying the workaround doesn't really make sense.

Moreover, the workaround applied seems to affect versions without the problem, according to the comments in the OpenSSL code:

 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
 * 10.8..10.8.3 (which don't work).

Given the above, setting the option will likely cause more harm than good.

[Jeffrey Walton]

Given the above, setting the option will likely cause more harm than good.

Apple has already done that with their broken implementation. ;)