Reference: http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html and http://openssl.6102.n7.nabble.com/Apple-are-apparently-dicks-td45512.html.
BL > ...and don't intend to fix their broken ECDSA support in Safari. Apple really needs to fix their engineering process and broken implementation. (And hire some QA personnel while they are at it... This is something their lawyers can't fix with a change to their license agreements). Will the patch be applied to 0.9.8 and 1.0.1 branches? If I can't wait for the patch in future stable releases (or don't want to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG), what are the other options? Can I use a cipher_list to work around this? For example, can I prefer RSA and DSS ciphers over ECDSA: const char* const PREFERRED_CIPHERS = /* TLS 1.2 only */ "ECDHE-RSA-AES256-GCM-SHA384:" "ECDHE-RSA-AES128-GCM-SHA256:" /* TLS 1.2 only */ "DHE-DSS-AES256-GCM-SHA384:" "DHE-RSA-AES256-GCM-SHA384:" "DHE-DSS-AES128-GCM-SHA256:" "DHE-RSA-AES128-GCM-SHA256:" /* TLS 1.2, see SSL_OP_SAFARI_ECDHE_ECDSA_BUG */ "ECDHE-ECDSA-AES256-GCM-SHA384:" "ECDHE-ECDSA-AES128-GCM-SHA256:" ... Thanks in advance. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org