On 14/06/13 10:20, Ben Laurie wrote:
On 14 June 2013 09:39, Rob Stradling <rob.stradl...@comodo.com> wrote:
On 13/06/13 17:39, Ben Laurie wrote:

...and don't intend to fix their broken ECDSA support in Safari.

Ben, you've got your wires a bit crossed there.

The ECDHE-ECDSA ciphersuites are indeed broken in Safari on OSX 10.8 to
10.8.3, but they are _fixed_ in OSX 10.8.4 (released last week).

It is therefore suggested that I pull this patch:

https://github.com/agl/openssl/commit/0d26cc5b32c23682244685975c1e9392244c0a4d

What do people think?

The unfortunate reality is that significant numbers of OSX 10.8.x users
won't upgrade to 10.8.4 anytime soon, even though the upgrade is free and
easy to install.

Precisely my point - so how were my wires crossed?

Ah, so you're criticizing Apple for not being willing to force all OSX 10.8.x users to update to 10.8.4.

If OSX 10.8.x has a mechanism that allows Apple to force updates to be installed, then I agree. But my suspicion is that it doesn't, and if so, Apple's willingness isn't the key issue here.

No server administrator will want to deploy ECDHE-ECDSA if it means breaking
compatibility with even a small fraction of deployed browsers.  Hence why
this patch is, unfortunately, necessary.

What is _necessary_ is that Apple accept responsibility for their errors :-)

Agreed.

Sadly, the OSX 10.8.4 changelog doesn't even mention the ECDHE-ECDSA bugfix.

Why are we chasing after them cleaning up their messes?

Because we want ECDHE-ECDSA to be deployable.

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to