On 14 June 2013 12:25, Rob Stradling <rob.stradl...@comodo.com> wrote:
> On 14/06/13 10:20, Ben Laurie wrote:
>>
>> On 14 June 2013 09:39, Rob Stradling <rob.stradl...@comodo.com> wrote:
>>>
>>> On 13/06/13 17:39, Ben Laurie wrote:
>>>>
>>>>
>>>> ...and don't intend to fix their broken ECDSA support in Safari.
>>>
>>>
>>> Ben, you've got your wires a bit crossed there.
>>>
>>> The ECDHE-ECDSA ciphersuites are indeed broken in Safari on OSX 10.8 to
>>> 10.8.3, but they are _fixed_ in OSX 10.8.4 (released last week).
>>>
>>>> It is therefore suggested that I pull this patch:
>>>>
>>>>
>>>> https://github.com/agl/openssl/commit/0d26cc5b32c23682244685975c1e9392244c0a4d
>>>>
>>>> What do people think?
>>>
>>>
>>> The unfortunate reality is that significant numbers of OSX 10.8.x users
>>> won't upgrade to 10.8.4 anytime soon, even though the upgrade is free and
>>> easy to install.
>>
>>
>> Precisely my point - so how were my wires crossed?
>
>
> Ah, so you're criticizing Apple for not being willing to force all OSX
> 10.8.x users to update to 10.8.4.

No.

> If OSX 10.8.x has a mechanism that allows Apple to force updates to be
> installed, then I agree.  But my suspicion is that it doesn't, and if so,
> Apple's willingness isn't the key issue here.

It has a mechanism to nag you endlessly until you do install updates.
Which makes me wonder why you think people won't install the OS
update?

>
>
>>> No server administrator will want to deploy ECDHE-ECDSA if it means
>>> breaking
>>> compatibility with even a small fraction of deployed browsers.  Hence why
>>> this patch is, unfortunately, necessary.
>>
>>
>> What is _necessary_ is that Apple accept responsibility for their errors
>> :-)
>
>
> Agreed.
>
> Sadly, the OSX 10.8.4 changelog doesn't even mention the ECDHE-ECDSA bugfix.
>
>
>> Why are we chasing after them cleaning up their messes?
>
>
> Because we want ECDHE-ECDSA to be deployable.
>
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to