Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
authorRob Stradling <rob@comodo.com>
Tue, 10 Sep 2013 11:41:37 +0000 (12:41 +0100)
committerBen Laurie <ben@links.org>
Fri, 4 Oct 2013 13:55:01 +0000 (14:55 +0100)
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.

doc/ssl/SSL_CTX_set_options.pod
ssl/s3_lib.c
ssl/ssl.h
ssl/ssl3.h
ssl/t1_lib.c

index a703ce0b8860e860b5565a3346e20227c42df46a..e1899ee0c1edb9541fecd4c441743c09763ba8be 100644 (file)
@@ -88,9 +88,10 @@ As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
 
 ...
 
-=item SSL_OP_MSIE_SSLV2_RSA_PADDING
+=item SSL_OP_SAFARI_ECDHE_ECDSA_BUG
 
-As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
+Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
+OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
 
 =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
 
index a40621822b37dd7010ca724b7da839e72e5cfe62..bdfb26db20bea0b2827ca7f1c2532ac4d897e316 100644 (file)
@@ -1734,6 +1734,11 @@ void ssl3_clear(SSL *s)
                s->s3->tmp.ecdh = NULL;
                }
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+#ifndef OPENSSL_NO_EC
+       s->s3->is_probably_safari = 0;
+#endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_NO_TLSEXT */
 
        rp = s->s3->rbuf.buf;
        wp = s->s3->wbuf.buf;
@@ -2398,6 +2403,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                j=sk_SSL_CIPHER_find(allow,c);
                if (j >= 0)
                        {
+#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
+                       if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
+                               {
+                               if (!ret) ret=sk_SSL_CIPHER_value(allow,j);
+                               continue;
+                               }
+#endif
                        ret=sk_SSL_CIPHER_value(allow,j);
                        break;
                        }
index d6bbc449ddf4482405c740bce198687f4a708551..2e6ddc728c04ea245528d17ab21a1bed136ebd10 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -490,7 +490,7 @@ typedef struct ssl_session_st
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG                0x00000008L
 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG             0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER              0x00000020L
-#define SSL_OP_MSIE_SSLV2_RSA_PADDING                  0x00000040L /* no effect since 0.9.7h and 0.9.8b */
+#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                  0x00000040L
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                        0x00000080L
 #define SSL_OP_TLS_D5_BUG                              0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                   0x00000200L
index b9a85effa0058b1ad7b84e7ae7193057a8c4e372..4cc063821a5ccd9afa077e3e7fcd38a3b7a97d50 100644 (file)
@@ -460,6 +460,16 @@ typedef struct ssl3_state_st
         unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
         unsigned char previous_server_finished_len;
         int send_connection_binding; /* TODOEKR */
+
+#ifndef OPENSSL_NO_TLSEXT
+#ifndef OPENSSL_NO_EC
+       /* This is set to true if we believe that this is a version of Safari
+        * running on OS X 10.6 or newer. We wish to know this because Safari
+        * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
+       char is_probably_safari;
+#endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_NO_TLSEXT */
+
        } SSL3_STATE;
 
 
index d56456e14dfdd26c057c81d1f37a2c330eb585c3..621b214b7b0e5efaee83b29956186c233dee72c7 100644 (file)
@@ -344,6 +344,89 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
        return ret;
        }
 
+#ifndef OPENSSL_NO_EC
+/* ssl_check_for_safari attempts to fingerprint Safari using OS X
+ * SecureTransport using the TLS extension block in |d|, of length |n|.
+ * Safari, since 10.6, sends exactly these extensions, in this order:
+ *   SNI,
+ *   elliptic_curves
+ *   ec_point_formats
+ *
+ * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
+ * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
+ * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
+ * 10.8..10.8.3 (which don't work).
+ */
+static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
+       unsigned short type, size;
+       static const unsigned char kSafariExtensionsBlock[] = {
+               0x00, 0x0a,  /* elliptic_curves extension */
+               0x00, 0x08,  /* 8 bytes */
+               0x00, 0x06,  /* 6 bytes of curve ids */
+               0x00, 0x17,  /* P-256 */
+               0x00, 0x18,  /* P-384 */
+               0x00, 0x19,  /* P-521 */
+
+               0x00, 0x0b,  /* ec_point_formats */
+               0x00, 0x02,  /* 2 bytes */
+               0x01,        /* 1 point format */
+               0x00,        /* uncompressed */
+       };
+
+       /* The following is only present in TLS 1.2 */
+       static const unsigned char kSafariTLS12ExtensionsBlock[] = {
+               0x00, 0x0d,  /* signature_algorithms */
+               0x00, 0x0c,  /* 12 bytes */
+               0x00, 0x0a,  /* 10 bytes */
+               0x05, 0x01,  /* SHA-384/RSA */
+               0x04, 0x01,  /* SHA-256/RSA */
+               0x02, 0x01,  /* SHA-1/RSA */
+               0x04, 0x03,  /* SHA-256/ECDSA */
+               0x02, 0x03,  /* SHA-1/ECDSA */
+       };
+
+       if (data >= (d+n-2))
+               return;
+       data += 2;
+
+       if (data > (d+n-4))
+               return;
+       n2s(data,type);
+       n2s(data,size);
+
+       if (type != TLSEXT_TYPE_server_name)
+               return;
+
+       if (data+size > d+n)
+               return;
+       data += size;
+
+       if (TLS1_get_version(s) >= TLS1_2_VERSION)
+               {
+               const size_t len1 = sizeof(kSafariExtensionsBlock);
+               const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
+
+               if (data + len1 + len2 != d+n)
+                       return;
+               if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
+                       return;
+               if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
+                       return;
+               }
+       else
+               {
+               const size_t len = sizeof(kSafariExtensionsBlock);
+
+               if (data + len != d+n)
+                       return;
+               if (memcmp(data, kSafariExtensionsBlock, len) != 0)
+                       return;
+               }
+
+       s->s3->is_probably_safari = 1;
+}
+#endif /* OPENSSL_NO_EC */
+
 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
        {
        unsigned short type;
@@ -355,6 +438,11 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
        s->servername_done = 0;
        s->tlsext_status_type = -1;
 
+#ifndef OPENSSL_NO_EC
+       if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
+               ssl_check_for_safari(s, data, d, n);
+#endif /* OPENSSL_NO_EC */
+
        if (data >= (d+n-2))
                goto ri_check;