Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.

OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
author: Rob Stradling <rob@comodo.com> 2013-09-09 12:52:41 +0100
committer: Ben Laurie <ben@links.org> 2013-09-16 15:07:51 +0100
commit: 4b61f6d2a675fdb57dc93991e7b332a745b44d1f (patch)
tree: 36c5a9fc29cc57f233b9bd40c4a6fd5f9c85cd74 /ssl/s3_lib.c
parent: d5bff72615bfda7ae4e7a9d7200aae60c45032cf (diff)
1 files changed, 14 insertions, 2 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index e7c5dcb809..5539d22339 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3037,6 +3037,11 @@ void ssl3_clear(SSL *s)
 		s->s3->tmp.ecdh = NULL;
 		}
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+#ifndef OPENSSL_NO_EC
+	s->s3->is_probably_safari = 0;
+#endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_NO_TLSEXT */
 
 	rp = s->s3->rbuf.buf;
 	wp = s->s3->wbuf.buf;
@@ -4016,8 +4021,15 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 		ii=sk_SSL_CIPHER_find(allow,c);
 		if (ii >= 0)
 			{
-			ret=sk_SSL_CIPHER_value(allow,ii);
-			break;
+			if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
+				{
+				if (!ret) ret=sk_SSL_CIPHER_value(allow,ii);
+				}
+			else
+				{
+				ret=sk_SSL_CIPHER_value(allow,ii);
+				break;
+				}
 			}
 		}
 	return(ret);
author	Rob Stradling <rob@comodo.com>	2013-09-09 12:52:41 +0100
committer	Ben Laurie <ben@links.org>	2013-09-16 15:07:51 +0100
commit	4b61f6d2a675fdb57dc93991e7b332a745b44d1f (patch)
tree	36c5a9fc29cc57f233b9bd40c4a6fd5f9c85cd74 /ssl/s3_lib.c
parent	d5bff72615bfda7ae4e7a9d7200aae60c45032cf (diff)