diff options
| author | Rob Stradling <rob@comodo.com> | 2013-09-09 10:44:29 +0100 |
|---|---|---|
| committer | Ben Laurie <ben@links.org> | 2013-09-16 14:03:21 +0100 |
| commit | 07df5018befd637a2a02ebd767969aa953200b3f (patch) | |
| tree | 9a2d95619c872122ffca125fd9f98c85535293ff /ssl/s3_lib.c | |
| parent | 1b9a59c36a547443dbefb0faed6598b3a15719c9 (diff) | |
Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
Diffstat (limited to 'ssl/s3_lib.c')
| -rw-r--r-- | ssl/s3_lib.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index f3acb8a96a..d70286612c 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3066,7 +3066,10 @@ void ssl3_clear(SSL *s) s->s3->tlsext_custom_types = NULL; } s->s3->tlsext_custom_types_count = 0; -#endif +#ifndef OPENSSL_NO_EC + s->s3->is_probably_safari = 0; +#endif /* OPENSSL_NO_EC */ +#endif /* OPENSSL_NO_TLSEXT */ rp = s->s3->rbuf.buf; wp = s->s3->wbuf.buf; @@ -4129,8 +4132,15 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, ii=sk_SSL_CIPHER_find(allow,c); if (ii >= 0) { - ret=sk_SSL_CIPHER_value(allow,ii); - break; + if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari) + { + if (!ret) ret=sk_SSL_CIPHER_value(allow,ii); + } + else + { + ret=sk_SSL_CIPHER_value(allow,ii); + break; + } } } return(ret); |