On 14 June 2013 12:25, Rob Stradling <rob.stradl...@comodo.com> wrote: > On 14/06/13 10:20, Ben Laurie wrote: >> >> On 14 June 2013 09:39, Rob Stradling <rob.stradl...@comodo.com> wrote: >>> >>> On 13/06/13 17:39, Ben Laurie wrote: >>>> >>>> >>>> ...and don't intend to fix their broken ECDSA support in Safari. >>> >>> >>> Ben, you've got your wires a bit crossed there. >>> >>> The ECDHE-ECDSA ciphersuites are indeed broken in Safari on OSX 10.8 to >>> 10.8.3, but they are _fixed_ in OSX 10.8.4 (released last week). >>> >>>> It is therefore suggested that I pull this patch: >>>> >>>> >>>> https://github.com/agl/openssl/commit/0d26cc5b32c23682244685975c1e9392244c0a4d >>>> >>>> What do people think? >>> >>> >>> The unfortunate reality is that significant numbers of OSX 10.8.x users >>> won't upgrade to 10.8.4 anytime soon, even though the upgrade is free and >>> easy to install. >> >> >> Precisely my point - so how were my wires crossed? > > > Ah, so you're criticizing Apple for not being willing to force all OSX > 10.8.x users to update to 10.8.4.
No. > If OSX 10.8.x has a mechanism that allows Apple to force updates to be > installed, then I agree. But my suspicion is that it doesn't, and if so, > Apple's willingness isn't the key issue here. It has a mechanism to nag you endlessly until you do install updates. Which makes me wonder why you think people won't install the OS update? > > >>> No server administrator will want to deploy ECDHE-ECDSA if it means >>> breaking >>> compatibility with even a small fraction of deployed browsers. Hence why >>> this patch is, unfortunately, necessary. >> >> >> What is _necessary_ is that Apple accept responsibility for their errors >> :-) > > > Agreed. > > Sadly, the OSX 10.8.4 changelog doesn't even mention the ECDHE-ECDSA bugfix. > > >> Why are we chasing after them cleaning up their messes? > > > Because we want ECDHE-ECDSA to be deployable. > > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
