generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.

Browse Source 
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
This commit is contained in:
Rob Stradling
2013-09-10 12:41:37 +01:00
committed by Ben Laurie
parent ff7b021040
commit cadbbd51c8
5 changed files with 114 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ssl/s3_lib.c
View File

@@ -1734,6 +1734,11 @@ void ssl3_clear(SSL *s)
s->s3->tmp.ecdh = NULL;
}
#endif
#ifndef OPENSSL_NO_TLSEXT
#ifndef OPENSSL_NO_EC
s->s3->is_probably_safari = 0;
#endif /* OPENSSL_NO_EC */
#endif /* OPENSSL_NO_TLSEXT */
rp = s->s3->rbuf.buf;
wp = s->s3->wbuf.buf;
@@ -2398,6 +2403,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
j=sk_SSL_CIPHER_find(allow,c);
if (j >= 0)
{
#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
{
if (!ret) ret=sk_SSL_CIPHER_value(allow,j);
continue;
}
#endif
ret=sk_SSL_CIPHER_value(allow,j);
break;
}