Re: Apple are, apparently, dicks...

2013-06-18 Thread Rob Stradling
On 14/06/13 14:16, Ben Laurie wrote: On 14 June 2013 14:08, Rob Stradling rob.stradl...@comodo.com wrote: snip Apparently the ECDHE-ECDSA bug is in SecureTransport, which is an integral component of OSX.

Re: Apple are, apparently, dicks...

2013-06-15 Thread Rob Stradling
On 14/06/13 15:25, Florian Weimer wrote: On 06/14/2013 03:31 PM, Dr. Stephen Henson wrote: Note that the patch changes the value of SSL_OP_ALL so if OpenSSL shared libraries are updated to include the patch existing applications wont set it: they'd all need to be recompiled. That's a valid

Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
...and don't intend to fix their broken ECDSA support in Safari. It is therefore suggested that I pull this patch: https://github.com/agl/openssl/commit/0d26cc5b32c23682244685975c1e9392244c0a4d What do people think? __ OpenSSL

Re: Apple are, apparently, dicks...

2013-06-14 Thread Bodo Moeller
On Thu, Jun 13, 2013 at 6:39 PM, Ben Laurie b...@links.org wrote: It is therefore suggested that I pull this patch: https://github.com/agl/openssl/commit/0d26cc5b32c23682244685975c1e9392244c0a4d The behavior change applies only if new option SSL_OP_SAFARI_ECDHE_ECDSA_BUG is used (part of

Re: Apple are, apparently, dicks...

2013-06-14 Thread Rob Stradling
On 13/06/13 17:39, Ben Laurie wrote: ...and don't intend to fix their broken ECDSA support in Safari. Ben, you've got your wires a bit crossed there. The ECDHE-ECDSA ciphersuites are indeed broken in Safari on OSX 10.8 to 10.8.3, but they are _fixed_ in OSX 10.8.4 (released last week). It

Re: Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
On 14 June 2013 09:39, Rob Stradling rob.stradl...@comodo.com wrote: On 13/06/13 17:39, Ben Laurie wrote: ...and don't intend to fix their broken ECDSA support in Safari. Ben, you've got your wires a bit crossed there. The ECDHE-ECDSA ciphersuites are indeed broken in Safari on OSX 10.8 to

Re: Apple are, apparently, dicks...

2013-06-14 Thread Rob Stradling
On 14/06/13 10:20, Ben Laurie wrote: On 14 June 2013 09:39, Rob Stradling rob.stradl...@comodo.com wrote: On 13/06/13 17:39, Ben Laurie wrote: ...and don't intend to fix their broken ECDSA support in Safari. Ben, you've got your wires a bit crossed there. The ECDHE-ECDSA ciphersuites are

Re: Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
On 14 June 2013 12:25, Rob Stradling rob.stradl...@comodo.com wrote: On 14/06/13 10:20, Ben Laurie wrote: On 14 June 2013 09:39, Rob Stradling rob.stradl...@comodo.com wrote: On 13/06/13 17:39, Ben Laurie wrote: ...and don't intend to fix their broken ECDSA support in Safari. Ben,

Re: Apple are, apparently, dicks...

2013-06-14 Thread Rob Stradling
On 14/06/13 12:31, Ben Laurie wrote: On 14 June 2013 12:25, Rob Stradling rob.stradl...@comodo.com wrote: snip Ah, so you're criticizing Apple for not being willing to force all OSX 10.8.x users to update to 10.8.4. No. If OSX 10.8.x has a mechanism that allows Apple to force updates to be

Re: Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
On 14 June 2013 13:57, Rob Stradling rob.stradl...@comodo.com wrote: On 14/06/13 12:31, Ben Laurie wrote: On 14 June 2013 12:25, Rob Stradling rob.stradl...@comodo.com wrote: snip Ah, so you're criticizing Apple for not being willing to force all OSX 10.8.x users to update to 10.8.4.

Re: Apple are, apparently, dicks...

2013-06-14 Thread The Doctor
On Thu, Jun 13, 2013 at 05:39:36PM +0100, Ben Laurie wrote: ...and don't intend to fix their broken ECDSA support in Safari. It is therefore suggested that I pull this patch: https://github.com/agl/openssl/commit/0d26cc5b32c23682244685975c1e9392244c0a4d What do people think? No keep the

Re: Apple are, apparently, dicks...

2013-06-14 Thread Dr. Stephen Henson
On Fri, Jun 14, 2013, Bodo Moeller wrote: On Thu, Jun 13, 2013 at 6:39 PM, Ben Laurie b...@links.org wrote: It is therefore suggested that I pull this patch: https://github.com/agl/openssl/commit/0d26cc5b32c23682244685975c1e9392244c0a4d The behavior change applies only if new

Re: Apple are, apparently, dicks...

2013-06-14 Thread Florian Weimer
On 06/14/2013 03:31 PM, Dr. Stephen Henson wrote: Note that the patch changes the value of SSL_OP_ALL so if OpenSSL shared libraries are updated to include the patch existing applications wont set it: they'd all need to be recompiled. That's a valid point. Possibly alternative is to reuse

Re: Apple are, apparently, dicks...

2013-06-14 Thread Bodo Moeller
Note that the patch changes the value of SSL_OP_ALL so if OpenSSL shared libraries are updated to include the patch existing applications wont set it: they'd all need to be recompiled. That's a valid point. This is true, unfortunately. Possibly alternative is to reuse one of the

RE: Apple are, apparently, dicks...

2013-06-14 Thread Salz, Rich
Ø Hm, without any SSL_OP_... settings, the expectation generally is that we kind of sort of follow the specs Ø and don't do any weird stuff like this for interoperability's sake. If we switch semantics around for certain Ø options, the resulting inconsistencies would make all that even

Re: Apple are, apparently, dicks...

2013-06-14 Thread Rob Stradling
On 14/06/13 13:58, Ben Laurie wrote: On 14 June 2013 13:57, Rob Stradling rob.stradl...@comodo.com wrote: snip Safari's User-Agent string reveals the OSX version that it is running on. A few weeks ago I analyzed some webserver logs to get an idea of historical OSX update rates. Based on that

Re: Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
On 14 June 2013 13:54, The Doctor doc...@doctor.nl2k.ab.ca wrote: On Thu, Jun 13, 2013 at 05:39:36PM +0100, Ben Laurie wrote: ...and don't intend to fix their broken ECDSA support in Safari. It is therefore suggested that I pull this patch:

Re: Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
On 14 June 2013 14:08, Rob Stradling rob.stradl...@comodo.com wrote: On 14/06/13 13:58, Ben Laurie wrote: On 14 June 2013 13:57, Rob Stradling rob.stradl...@comodo.com wrote: snip Safari's User-Agent string reveals the OSX version that it is running on. A few weeks ago I analyzed some

Re: Apple are, apparently, dicks...

2013-06-14 Thread Rob Stradling
On 14/06/13 13:54, The Doctor wrote: On Thu, Jun 13, 2013 at 05:39:36PM +0100, Ben Laurie wrote: ...and don't intend to fix their broken ECDSA support in Safari. It is therefore suggested that I pull this patch: https://github.com/agl/openssl/commit/0d26cc5b32c23682244685975c1e9392244c0a4d

Re: Apple are, apparently, dicks...

2013-06-14 Thread Rob Stradling
On 14/06/13 14:31, Dr. Stephen Henson wrote: snip The behavior change applies only if new option SSL_OP_SAFARI_ECDHE_ECDSA_BUG is used (part of SSL_OP_ALL), as is standard for interoperability bug workarounds, so while it is very unfortunate that we'd need to do this, I'm in favor of accepting

Re: Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
On 14 June 2013 16:10, Bodo Moeller bmoel...@acm.org wrote: Note that the patch changes the value of SSL_OP_ALL so if OpenSSL shared libraries are updated to include the patch existing applications wont set it: they'd all need to be recompiled. That's a valid point. This is true,