generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.

Browse Source 
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
This commit is contained in:
Rob Stradling
2013-09-09 14:13:59 +01:00
parent 56023bc405
commit 6f1c8d45f7
5 changed files with 114 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ssl/s3_lib.c
View File

@@ -2211,6 +2211,11 @@ void ssl3_clear(SSL *s)
s->s3->tmp.ecdh = NULL;
}
#endif
#ifndef OPENSSL_NO_TLSEXT
#ifndef OPENSSL_NO_EC
s->s3->is_probably_safari = 0;
#endif /* OPENSSL_NO_EC */
#endif /* OPENSSL_NO_TLSEXT */
rp = s->s3->rbuf.buf;
wp = s->s3->wbuf.buf;
@@ -3083,6 +3088,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
ii=sk_SSL_CIPHER_find(allow,c);
if (ii >= 0)
{
#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
{
if (!ret) ret=sk_SSL_CIPHER_value(allow,ii);
continue;
}
#endif
ret=sk_SSL_CIPHER_value(allow,ii);
break;
}