OpenSSL OpenSSL - Dev

Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG

classic Classic list List threaded Threaded
3 messages Options
Jeffrey Walton-3
Reply | Threaded
Open this post in threaded view
|

Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG

Jeffrey Walton-3
Reference: http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html
and http://openssl.6102.n7.nabble.com/Apple-are-apparently-dicks-td45512.html.

BL > ...and don't intend to fix their broken ECDSA support in Safari.
Apple really needs to fix their engineering process and broken
implementation. (And hire some QA personnel while they are at it...
This is something their lawyers can't fix with a change to their
license agreements).

Will the patch be applied to 0.9.8 and 1.0.1 branches?

If I can't wait for the patch in future stable releases (or don't want
to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG), what are the other options? Can
I use a cipher_list to work around this? For example, can I prefer RSA
and DSS ciphers over ECDSA:

  const char* const PREFERRED_CIPHERS =

    /* TLS 1.2 only */
    "ECDHE-RSA-AES256-GCM-SHA384:"
    "ECDHE-RSA-AES128-GCM-SHA256:"

    /* TLS 1.2 only */
    "DHE-DSS-AES256-GCM-SHA384:"
    "DHE-RSA-AES256-GCM-SHA384:"
    "DHE-DSS-AES128-GCM-SHA256:"
    "DHE-RSA-AES128-GCM-SHA256:"

    /* TLS 1.2, see SSL_OP_SAFARI_ECDHE_ECDSA_BUG */
    "ECDHE-ECDSA-AES256-GCM-SHA384:"
    "ECDHE-ECDSA-AES128-GCM-SHA256:"
    ...

Thanks in advance.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Rob Stradling
Reply | Threaded
Open this post in threaded view
|

Re: Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG

Rob Stradling
On 09/12/13 23:34, Jeffrey Walton wrote:

> Reference: http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html
> and http://openssl.6102.n7.nabble.com/Apple-are-apparently-dicks-td45512.html.
>
> BL > ...and don't intend to fix their broken ECDSA support in Safari.
> Apple really needs to fix their engineering process and broken
> implementation. (And hire some QA personnel while they are at it...
> This is something their lawyers can't fix with a change to their
> license agreements).
>
> Will the patch be applied to 0.9.8 and 1.0.1 branches?

It has been applied on those branches already.

http://git.openssl.org/gitweb/?p=openssl.git;a=shortlog;h=refs/heads/OpenSSL_0_9_8-stable
Committed on 2013-10-04.

http://git.openssl.org/gitweb/?p=openssl.git;a=shortlog;h=refs/heads/OpenSSL_1_0_0-stable
Committed on 2013-09-10.

http://git.openssl.org/gitweb/?p=openssl.git;a=shortlog;h=refs/heads/OpenSSL_1_0_1-stable
Committed on 2013-09-16.

> If I can't wait for the patch in future stable releases (or don't want
> to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG), what are the other options? Can
> I use a cipher_list to work around this? For example, can I prefer RSA
> and DSS ciphers over ECDSA:
>
>    const char* const PREFERRED_CIPHERS =
>
>      /* TLS 1.2 only */
>      "ECDHE-RSA-AES256-GCM-SHA384:"
>      "ECDHE-RSA-AES128-GCM-SHA256:"
>
>      /* TLS 1.2 only */
>      "DHE-DSS-AES256-GCM-SHA384:"
>      "DHE-RSA-AES256-GCM-SHA384:"
>      "DHE-DSS-AES128-GCM-SHA256:"
>      "DHE-RSA-AES128-GCM-SHA256:"
>
>      /* TLS 1.2, see SSL_OP_SAFARI_ECDHE_ECDSA_BUG */
>      "ECDHE-ECDSA-AES256-GCM-SHA384:"
>      "ECDHE-ECDSA-AES128-GCM-SHA256:"

The broken versions of Safari/OSX don't support GCM (or DSS, I think),
so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and
ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.

If you can't wait for the patch, or don't want to use it, here are two
workarounds that I think should work...

1. Ensure that these 4 ciphers are all disabled on your server (since
these are the only ciphers that are affected by the Safari/OSX bug):
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-RC4-SHA
ECDHE-ECDSA-DES-CBC3-SHA

or

2. If you want to enable 1 or more of those 4 ECDHE-ECDSA ciphers,
ensure that your server prefers at least 1 of the following ciphers
(that Safari/OSX also offers) ahead of them:
ECDH-RSA-AES128-SHA
ECDH-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
ECDH-RSA-DES-CBC3-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-RC4-SHA
ECDHE-RSA-DES-CBC3-SHA
AES128-SHA
RC4-SHA
RC4-MD5
AES256-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
EDH-RSA-DES-CBC3-SHA

(Obviously you'll need 2 server certificates, one with an RSA key and
one with an ECC key).

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Jeffrey Walton-3
Reply | Threaded
Open this post in threaded view
|

Re: Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG

Jeffrey Walton-3
On Tue, Dec 10, 2013 at 7:06 AM, Rob Stradling <[hidden email]> wrote:

> On 09/12/13 23:34, Jeffrey Walton wrote:
>>
>> Reference:
>> http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html
>> and
>> http://openssl.6102.n7.nabble.com/Apple-are-apparently-dicks-td45512.html.
>>
>> ...
>> If I can't wait for the patch in future stable releases (or don't want
>> to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG), what are the other options? Can
>> I use a cipher_list to work around this? For example, can I prefer RSA
>> and DSS ciphers over ECDSA:
>>
>>    const char* const PREFERRED_CIPHERS =
>>
>>      /* TLS 1.2 only */
>>      "ECDHE-RSA-AES256-GCM-SHA384:"
>>      "ECDHE-RSA-AES128-GCM-SHA256:"
>>
>>      /* TLS 1.2 only */
>>      "DHE-DSS-AES256-GCM-SHA384:"
>>      "DHE-RSA-AES256-GCM-SHA384:"
>>      "DHE-DSS-AES128-GCM-SHA256:"
>>      "DHE-RSA-AES128-GCM-SHA256:"
>>
>>      /* TLS 1.2, see SSL_OP_SAFARI_ECDHE_ECDSA_BUG */
>>      "ECDHE-ECDSA-AES256-GCM-SHA384:"
>>      "ECDHE-ECDSA-AES128-GCM-SHA256:"
>
>
> The broken versions of Safari/OSX don't support GCM (or DSS, I think), so
> enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and
> ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.
>
> If you can't wait for the patch, or don't want to use it, here are two
> workarounds that I think should work...
>
> 1. Ensure that these 4 ciphers are all disabled on your server (since these
> are the only ciphers that are affected by the Safari/OSX bug):
> ECDHE-ECDSA-AES256-SHA
> ECDHE-ECDSA-AES128-SHA
> ECDHE-ECDSA-RC4-SHA
> ECDHE-ECDSA-DES-CBC3-SHA
>
> or
>
> 2. If you want to enable 1 or more of those 4 ECDHE-ECDSA ciphers, ensure
> that your server prefers at least 1 of the following ciphers (that
> Safari/OSX also offers) ahead of them:
> ECDH-RSA-AES128-SHA
> ECDH-RSA-AES256-SHA
> ECDH-RSA-RC4-SHA
> ECDH-RSA-DES-CBC3-SHA
> ECDHE-RSA-AES256-SHA
> ECDHE-RSA-AES128-SHA
> ECDHE-RSA-RC4-SHA
> ECDHE-RSA-DES-CBC3-SHA
> AES128-SHA
> RC4-SHA
> RC4-MD5
> AES256-SHA
> DES-CBC3-SHA
> DHE-RSA-AES128-SHA
> DHE-RSA-AES256-SHA
> EDH-RSA-DES-CBC3-SHA
>
> (Obviously you'll need 2 server certificates, one with an RSA key and one
> with an ECC key).

Perfect, thanks.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Free forum by Nabble Edit this page