#462 closed defect (wontfix)
Server: OpenSSL Safari Workaround (SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
Reported by: | Jeffrey Walton | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | |
Keywords: | openssl safari SSL_OP_SAFARI_ECDHE_ECDSA_BUG server | Cc: | |
uname -a: |
$ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64 |
||
nginx -V: |
$ objs/nginx -V
nginx version: nginx/1.4.4 configure arguments: |
Description
It appears there is an opportunity for improvement in the server for Safari clients when using OpenSSL. From ngx_event_openssl.c, around line 185:
/* server side options */ SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); ...
It might be helpful to add SSL_OP_SAFARI_ECDHE_ECDSA_BUG:
#if !defined(SSL_OP_SAFARI_ECDHE_ECDSA_BUG) # define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000400L #endif SSL_CTX_set_options(ssl->ctx, SSL_OP_SAFARI_ECDHE_ECDSA_BUG);
SSL_OP_SAFARI_ECDHE_ECDSA_BUG was a recent check-in. http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html.
Change History (2)
comment:1 by , 11 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
comment:2 by , 11 years ago
Given the above, setting the option will likely cause more harm than good.
Apple has already done that with their broken implementation. ;)
Note:
See TracTickets
for help on using tickets.
It's not yet available in any released version of the OpenSSL, and already obsolete by several OS X releases with the problem fixed. See https://www.adium.im/sparkle/ to get the idea of market share of affected versions, it's already below 1% of OS X installations. That is, even now applying the workaround doesn't really make sense.
Moreover, the workaround applied seems to affect versions without the problem, according to the comments in the OpenSSL code:
Given the above, setting the option will likely cause more harm than good.