Re: Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG

2013-12-11 Thread Jeffrey Walton
On Tue, Dec 10, 2013 at 7:06 AM, Rob Stradling rob.stradl...@comodo.com wrote:
 On 09/12/13 23:34, Jeffrey Walton wrote:

 Reference:
 http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html
 and
 http://openssl.6102.n7.nabble.com/Apple-are-apparently-dicks-td45512.html.

 ...
 If I can't wait for the patch in future stable releases (or don't want
 to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG), what are the other options? Can
 I use a cipher_list to work around this? For example, can I prefer RSA
 and DSS ciphers over ECDSA:

const char* const PREFERRED_CIPHERS =

  /* TLS 1.2 only */
  ECDHE-RSA-AES256-GCM-SHA384:
  ECDHE-RSA-AES128-GCM-SHA256:

  /* TLS 1.2 only */
  DHE-DSS-AES256-GCM-SHA384:
  DHE-RSA-AES256-GCM-SHA384:
  DHE-DSS-AES128-GCM-SHA256:
  DHE-RSA-AES128-GCM-SHA256:

  /* TLS 1.2, see SSL_OP_SAFARI_ECDHE_ECDSA_BUG */
  ECDHE-ECDSA-AES256-GCM-SHA384:
  ECDHE-ECDSA-AES128-GCM-SHA256:


 The broken versions of Safari/OSX don't support GCM (or DSS, I think), so
 enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and
 ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.

 If you can't wait for the patch, or don't want to use it, here are two
 workarounds that I think should work...

 1. Ensure that these 4 ciphers are all disabled on your server (since these
 are the only ciphers that are affected by the Safari/OSX bug):
 ECDHE-ECDSA-AES256-SHA
 ECDHE-ECDSA-AES128-SHA
 ECDHE-ECDSA-RC4-SHA
 ECDHE-ECDSA-DES-CBC3-SHA

 or

 2. If you want to enable 1 or more of those 4 ECDHE-ECDSA ciphers, ensure
 that your server prefers at least 1 of the following ciphers (that
 Safari/OSX also offers) ahead of them:
 ECDH-RSA-AES128-SHA
 ECDH-RSA-AES256-SHA
 ECDH-RSA-RC4-SHA
 ECDH-RSA-DES-CBC3-SHA
 ECDHE-RSA-AES256-SHA
 ECDHE-RSA-AES128-SHA
 ECDHE-RSA-RC4-SHA
 ECDHE-RSA-DES-CBC3-SHA
 AES128-SHA
 RC4-SHA
 RC4-MD5
 AES256-SHA
 DES-CBC3-SHA
 DHE-RSA-AES128-SHA
 DHE-RSA-AES256-SHA
 EDH-RSA-DES-CBC3-SHA

 (Obviously you'll need 2 server certificates, one with an RSA key and one
 with an ECC key).

Perfect, thanks.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG

2013-12-10 Thread Rob Stradling

On 09/12/13 23:34, Jeffrey Walton wrote:

Reference: 
http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html
and http://openssl.6102.n7.nabble.com/Apple-are-apparently-dicks-td45512.html.

BL  ...and don't intend to fix their broken ECDSA support in Safari.
Apple really needs to fix their engineering process and broken
implementation. (And hire some QA personnel while they are at it...
This is something their lawyers can't fix with a change to their
license agreements).

Will the patch be applied to 0.9.8 and 1.0.1 branches?


It has been applied on those branches already.

http://git.openssl.org/gitweb/?p=openssl.git;a=shortlog;h=refs/heads/OpenSSL_0_9_8-stable
Committed on 2013-10-04.

http://git.openssl.org/gitweb/?p=openssl.git;a=shortlog;h=refs/heads/OpenSSL_1_0_0-stable
Committed on 2013-09-10.

http://git.openssl.org/gitweb/?p=openssl.git;a=shortlog;h=refs/heads/OpenSSL_1_0_1-stable
Committed on 2013-09-16.


If I can't wait for the patch in future stable releases (or don't want
to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG), what are the other options? Can
I use a cipher_list to work around this? For example, can I prefer RSA
and DSS ciphers over ECDSA:

   const char* const PREFERRED_CIPHERS =

 /* TLS 1.2 only */
 ECDHE-RSA-AES256-GCM-SHA384:
 ECDHE-RSA-AES128-GCM-SHA256:

 /* TLS 1.2 only */
 DHE-DSS-AES256-GCM-SHA384:
 DHE-RSA-AES256-GCM-SHA384:
 DHE-DSS-AES128-GCM-SHA256:
 DHE-RSA-AES128-GCM-SHA256:

 /* TLS 1.2, see SSL_OP_SAFARI_ECDHE_ECDSA_BUG */
 ECDHE-ECDSA-AES256-GCM-SHA384:
 ECDHE-ECDSA-AES128-GCM-SHA256:


The broken versions of Safari/OSX don't support GCM (or DSS, I think), 
so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and 
ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.


If you can't wait for the patch, or don't want to use it, here are two 
workarounds that I think should work...


1. Ensure that these 4 ciphers are all disabled on your server (since 
these are the only ciphers that are affected by the Safari/OSX bug):

ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-RC4-SHA
ECDHE-ECDSA-DES-CBC3-SHA

or

2. If you want to enable 1 or more of those 4 ECDHE-ECDSA ciphers, 
ensure that your server prefers at least 1 of the following ciphers 
(that Safari/OSX also offers) ahead of them:

ECDH-RSA-AES128-SHA
ECDH-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
ECDH-RSA-DES-CBC3-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-RC4-SHA
ECDHE-RSA-DES-CBC3-SHA
AES128-SHA
RC4-SHA
RC4-MD5
AES256-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
EDH-RSA-DES-CBC3-SHA

(Obviously you'll need 2 server certificates, one with an RSA key and 
one with an ECC key).


--
Rob Stradling
Senior Research  Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org