Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.

OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
author: Rob Stradling <rob@comodo.com> 2013-09-10 12:41:37 +0100
committer: Ben Laurie <ben@links.org> 2013-10-04 14:55:01 +0100
commit: cadbbd51c8b4e66515cd3e97754cfeda606c7b15 (patch)
tree: 165cd1176ebe93d514137a88d8db236cb2051f98 /ssl/s3_lib.c
parent: ff7b021040807132b86720c5c95664c28d0cf342 (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index a40621822b..bdfb26db20 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1734,6 +1734,11 @@ void ssl3_clear(SSL *s)
 		s->s3->tmp.ecdh = NULL;
 		}
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+#ifndef OPENSSL_NO_EC
+	s->s3->is_probably_safari = 0;
+#endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_NO_TLSEXT */
 
 	rp = s->s3->rbuf.buf;
 	wp = s->s3->wbuf.buf;
@@ -2398,6 +2403,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 		j=sk_SSL_CIPHER_find(allow,c);
 		if (j >= 0)
 			{
+#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
+			if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
+				{
+				if (!ret) ret=sk_SSL_CIPHER_value(allow,j);
+				continue;
+				}
+#endif
 			ret=sk_SSL_CIPHER_value(allow,j);
 			break;
 			}
author	Rob Stradling <rob@comodo.com>	2013-09-10 12:41:37 +0100
committer	Ben Laurie <ben@links.org>	2013-10-04 14:55:01 +0100
commit	cadbbd51c8b4e66515cd3e97754cfeda606c7b15 (patch)
tree	165cd1176ebe93d514137a88d8db236cb2051f98 /ssl/s3_lib.c
parent	ff7b021040807132b86720c5c95664c28d0cf342 (diff)