Reference: 
http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html
and http://openssl.6102.n7.nabble.com/Apple-are-apparently-dicks-td45512.html.

BL > ...and don't intend to fix their broken ECDSA support in Safari.
Apple really needs to fix their engineering process and broken
implementation. (And hire some QA personnel while they are at it...
This is something their lawyers can't fix with a change to their
license agreements).

Will the patch be applied to 0.9.8 and 1.0.1 branches?

If I can't wait for the patch in future stable releases (or don't want
to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG), what are the other options? Can
I use a cipher_list to work around this? For example, can I prefer RSA
and DSS ciphers over ECDSA:

  const char* const PREFERRED_CIPHERS =

    /* TLS 1.2 only */
    "ECDHE-RSA-AES256-GCM-SHA384:"
    "ECDHE-RSA-AES128-GCM-SHA256:"

    /* TLS 1.2 only */
    "DHE-DSS-AES256-GCM-SHA384:"
    "DHE-RSA-AES256-GCM-SHA384:"
    "DHE-DSS-AES128-GCM-SHA256:"
    "DHE-RSA-AES128-GCM-SHA256:"

    /* TLS 1.2, see SSL_OP_SAFARI_ECDHE_ECDSA_BUG */
    "ECDHE-ECDSA-AES256-GCM-SHA384:"
    "ECDHE-ECDSA-AES128-GCM-SHA256:"
    ...

Thanks in advance.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to