On Mon, Apr 14, 2014 at 09:57:21PM +0200, Stefan Fritsch wrote: > Am Montag, 14. April 2014, 21:18:46 schrieb Philipp Kern: > > So I'd say that we should go and add ECDHE support to Apache as > > suggested and also patch OpenSSL for the OS X bug as the > > fingerprinting landed upstream and we would merely replicate > > current upstream behavior. > > OK, sounds good. > > Kurt, if the openssl patch is like [1], it would require that apache2 > is built against the updated version of openssl, due to the changed > value of SSL_OP_ALL. Can you please ping me when you have uploaded the > new package? Also, you should probably mention in the changelog that > only recompiled applications get to use the workaround.
I've just uploaded it. Debdiff is attached. Kurt
diff -Nru openssl-1.0.1e/debian/changelog openssl-1.0.1e/debian/changelog --- openssl-1.0.1e/debian/changelog 2014-04-17 22:11:48.000000000 +0200 +++ openssl-1.0.1e/debian/changelog 2014-05-01 15:31:35.000000000 +0200 @@ -1,3 +1,12 @@ +openssl (1.0.1e-2+deb7u8) wheezy; urgency=medium + + * Don't prefer ECDHE_ECDSA with some Safari versions + This also adds the SSL_OP_SAFARI_ECDHE_ECDSA_BUG option. + * Actually restart the services when restart-without-asking is set. + (Closes: #745801) + + -- Kurt Roeckx <k...@roeckx.be> Thu, 01 May 2014 15:06:05 +0200 + openssl (1.0.1e-2+deb7u7) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru openssl-1.0.1e/debian/libssl1.0.0.postinst openssl-1.0.1e/debian/libssl1.0.0.postinst --- openssl-1.0.1e/debian/libssl1.0.0.postinst 2014-04-16 22:59:01.000000000 +0200 +++ openssl-1.0.1e/debian/libssl1.0.0.postinst 2014-05-01 15:30:16.000000000 +0200 @@ -171,6 +171,8 @@ else answer=no fi + else + answer=yes fi echo if [ "$answer" = yes ] && [ "$services" != "" ]; then diff -Nru openssl-1.0.1e/debian/patches/ECDHE-ECDSA_Safari.patch openssl-1.0.1e/debian/patches/ECDHE-ECDSA_Safari.patch --- openssl-1.0.1e/debian/patches/ECDHE-ECDSA_Safari.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssl-1.0.1e/debian/patches/ECDHE-ECDSA_Safari.patch 2014-05-01 15:52:28.000000000 +0200 @@ -0,0 +1,194 @@ +From: Rob Stradling <r...@comodo.com> +Date: Thu, 5 Sep 2013 13:09:03 +0100 +Subject: [PATCH] Don't prefer ECDHE-ECDSA ciphers when the client appears to + be Safari on OS X. OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA + ciphers. +Origin: upstream, commit:4b61f6d2a675fdb57dc93991e7b332a745b44d1f, commit:937f125efc80d7a4e80a5a02ec0eae02ea0b55ac, commit:f4a51970d245a61e991a0c2e196853e81a1a6c53 + + +diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod +index cc588f3..fded060 100644 +--- a/doc/ssl/SSL_CTX_set_options.pod ++++ b/doc/ssl/SSL_CTX_set_options.pod +@@ -88,9 +88,10 @@ As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect. + + ... + +-=item SSL_OP_MSIE_SSLV2_RSA_PADDING ++=item SSL_OP_SAFARI_ECDHE_ECDSA_BUG + +-As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect. ++Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. ++OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers. + + =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG + +diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c +index e7c5dcb..c2428f4 100644 +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -3037,6 +3037,11 @@ void ssl3_clear(SSL *s) + s->s3->tmp.ecdh = NULL; + } + #endif ++#ifndef OPENSSL_NO_TLSEXT ++#ifndef OPENSSL_NO_EC ++ s->s3->is_probably_safari = 0; ++#endif /* OPENSSL_NO_EC */ ++#endif /* OPENSSL_NO_TLSEXT */ + + rp = s->s3->rbuf.buf; + wp = s->s3->wbuf.buf; +@@ -4016,6 +4021,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, + ii=sk_SSL_CIPHER_find(allow,c); + if (ii >= 0) + { ++#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT) ++ if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari) ++ { ++ if (!ret) ret=sk_SSL_CIPHER_value(allow,ii); ++ continue; ++ } ++#endif + ret=sk_SSL_CIPHER_value(allow,ii); + break; + } +diff --git a/ssl/ssl.h b/ssl/ssl.h +index 593579e..c48990e 100644 +--- a/ssl/ssl.h ++++ b/ssl/ssl.h +@@ -555,7 +555,7 @@ struct ssl_session_st + #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L + #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L + #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L +-#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ ++#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L + #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L + #define SSL_OP_TLS_D5_BUG 0x00000100L + #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L +diff --git a/ssl/ssl3.h b/ssl/ssl3.h +index 247e88c..208b392 100644 +--- a/ssl/ssl3.h ++++ b/ssl/ssl3.h +@@ -539,6 +539,15 @@ typedef struct ssl3_state_st + /* Set if we saw the Next Protocol Negotiation extension from our peer. */ + int next_proto_neg_seen; + #endif ++ ++#ifndef OPENSSL_NO_TLSEXT ++#ifndef OPENSSL_NO_EC ++ /* This is set to true if we believe that this is a version of Safari ++ * running on OS X 10.6 or newer. We wish to know this because Safari ++ * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */ ++ char is_probably_safari; ++#endif /* OPENSSL_NO_EC */ ++#endif /* OPENSSL_NO_TLSEXT */ + } SSL3_STATE; + + #endif +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index e08088c..f671d1d 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -866,6 +866,89 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha + return ret; + } + ++#ifndef OPENSSL_NO_EC ++/* ssl_check_for_safari attempts to fingerprint Safari using OS X ++ * SecureTransport using the TLS extension block in |d|, of length |n|. ++ * Safari, since 10.6, sends exactly these extensions, in this order: ++ * SNI, ++ * elliptic_curves ++ * ec_point_formats ++ * ++ * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, ++ * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. ++ * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from ++ * 10.8..10.8.3 (which don't work). ++ */ ++static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { ++ unsigned short type, size; ++ static const unsigned char kSafariExtensionsBlock[] = { ++ 0x00, 0x0a, /* elliptic_curves extension */ ++ 0x00, 0x08, /* 8 bytes */ ++ 0x00, 0x06, /* 6 bytes of curve ids */ ++ 0x00, 0x17, /* P-256 */ ++ 0x00, 0x18, /* P-384 */ ++ 0x00, 0x19, /* P-521 */ ++ ++ 0x00, 0x0b, /* ec_point_formats */ ++ 0x00, 0x02, /* 2 bytes */ ++ 0x01, /* 1 point format */ ++ 0x00, /* uncompressed */ ++ }; ++ ++ /* The following is only present in TLS 1.2 */ ++ static const unsigned char kSafariTLS12ExtensionsBlock[] = { ++ 0x00, 0x0d, /* signature_algorithms */ ++ 0x00, 0x0c, /* 12 bytes */ ++ 0x00, 0x0a, /* 10 bytes */ ++ 0x05, 0x01, /* SHA-384/RSA */ ++ 0x04, 0x01, /* SHA-256/RSA */ ++ 0x02, 0x01, /* SHA-1/RSA */ ++ 0x04, 0x03, /* SHA-256/ECDSA */ ++ 0x02, 0x03, /* SHA-1/ECDSA */ ++ }; ++ ++ if (data >= (d+n-2)) ++ return; ++ data += 2; ++ ++ if (data > (d+n-4)) ++ return; ++ n2s(data,type); ++ n2s(data,size); ++ ++ if (type != TLSEXT_TYPE_server_name) ++ return; ++ ++ if (data+size > d+n) ++ return; ++ data += size; ++ ++ if (TLS1_get_client_version(s) >= TLS1_2_VERSION) ++ { ++ const size_t len1 = sizeof(kSafariExtensionsBlock); ++ const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); ++ ++ if (data + len1 + len2 != d+n) ++ return; ++ if (memcmp(data, kSafariExtensionsBlock, len1) != 0) ++ return; ++ if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) ++ return; ++ } ++ else ++ { ++ const size_t len = sizeof(kSafariExtensionsBlock); ++ ++ if (data + len != d+n) ++ return; ++ if (memcmp(data, kSafariExtensionsBlock, len) != 0) ++ return; ++ } ++ ++ s->s3->is_probably_safari = 1; ++} ++#endif /* OPENSSL_NO_EC */ ++ + int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) + { + unsigned short type; +@@ -886,6 +969,11 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in + SSL_TLSEXT_HB_DONT_SEND_REQUESTS); + #endif + ++#ifndef OPENSSL_NO_EC ++ if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) ++ ssl_check_for_safari(s, data, d, n); ++#endif /* OPENSSL_NO_EC */ ++ + if (data >= (d+n-2)) + goto ri_check; + n2s(data,len); diff -Nru openssl-1.0.1e/debian/patches/series openssl-1.0.1e/debian/patches/series --- openssl-1.0.1e/debian/patches/series 2014-04-17 22:05:46.000000000 +0200 +++ openssl-1.0.1e/debian/patches/series 2014-05-01 15:02:11.000000000 +0200 @@ -46,3 +46,4 @@ CVE-2010-5298.patch CVE-2014-XXXX-Extension-checking-fixes.patch CVE-2014-0076.patch +ECDHE-ECDSA_Safari.patch