Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.

OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
author: Rob Stradling <rob@comodo.com> 2013-09-05 14:09:03 +0200
committer: Rob Stradling <rob@comodo.com> 2013-09-05 14:09:03 +0200
commit: dece3209f299ebcd82414868ee39b2c6feb3be0a (patch)
tree: 207eb4b4c30b76e04ac00ed3230f75438eea799c /ssl/s3_lib.c
parent: Document supported curve functions. (diff)
download: openssl-dece3209f299ebcd82414868ee39b2c6feb3be0a.tar.xz
openssl-dece3209f299ebcd82414868ee39b2c6feb3be0a.zip
1 files changed, 13 insertions, 3 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 8332512dca..68b1ada5bc 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3089,7 +3089,10 @@ void ssl3_clear(SSL *s)
 		s->s3->tlsext_custom_types = NULL;
 		}
 	s->s3->tlsext_custom_types_count = 0;	
-#endif
+#ifndef OPENSSL_NO_EC
+	s->s3->is_probably_safari = 0;
+#endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_NO_TLSEXT */
 
 	rp = s->s3->rbuf.buf;
 	wp = s->s3->wbuf.buf;
@@ -4170,8 +4173,15 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 		ii=sk_SSL_CIPHER_find(allow,c);
 		if (ii >= 0)
 			{
-			ret=sk_SSL_CIPHER_value(allow,ii);
-			break;
+			if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
+				{
+				if (!ret) ret=sk_SSL_CIPHER_value(allow,ii);
+				}
+			else
+				{
+				ret=sk_SSL_CIPHER_value(allow,ii);
+				break;
+				}
 			}
 		}
 	return(ret);
author	Rob Stradling <rob@comodo.com>	2013-09-05 14:09:03 +0200
committer	Rob Stradling <rob@comodo.com>	2013-09-05 14:09:03 +0200
commit	dece3209f299ebcd82414868ee39b2c6feb3be0a (patch)
tree	207eb4b4c30b76e04ac00ed3230f75438eea799c /ssl/s3_lib.c
parent	Document supported curve functions. (diff)
download	openssl-dece3209f299ebcd82414868ee39b2c6feb3be0a.tar.xz openssl-dece3209f299ebcd82414868ee39b2c6feb3be0a.zip