[Bug 1257877] Re: TLSv1.2 enabling tracker bug
Jeffrey Walton
noloader at gmail.com
Fri Mar 28 03:59:04 UTC 2014
> fwiw, I'm seeing issues with offlinemap and alpine seemingly as a result of this bug.
>
> offlineimap now prints errors like:
> Establishing connection to mail.brickies.net:993
> ERROR: While attempting to sync account 'ssm'
> [Errno 104] Connection reset by peer
If offlinemap is offlinemap.com (with description "OffMaps: Offline Maps
App for iPhone, iPad & iPod Touch"), then it could be Apple's broken
SecureTransport *if* the server is running Apple software. The bug is
courtesy of a bad ECDHE-ECDSA implementation. See [1] and [2] for
details.
Apple never published an advisory or credited folks with the bug. So its
hard to say what versions of their operating system are affected by the
broken SecureTransport. Its believed to affect OS X 10.8 through 10.8.4
or so. Its also believed to affect iOS 7 through iOS 7.4 or so. Its also
believed that Apple did not backport the fix, so broken versions of
their SecureTransport will remain broken.
The OpenSSL folks provided a workaround to the Apple ECDHE-ECDSA bug.
But there are two issues with it. First, a developer must "opt-in" by
setting SSL_OP_SAFARI_ECDHE_ECDSA_BUG on the context (SSL_CTX object).
Second, I'm not sure if SSL_OP_SAFARI_ECDHE_ECDSA_BUG is available in
the 1.0.1 branch.
[1] http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html
[2] http://openssl.6102.n7.nabble.com/Apple-are-apparently-dicks-td45512.html
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1257877
Title:
TLSv1.2 enabling tracker bug
Status in “openssl” package in Ubuntu:
Fix Released
Bug description:
Since the introduction of openssl 1.0.1 in Ubuntu, TLSv1.2 has been
disabled on the client side to prevent compatibility issues with
certain web sites.
Since then, most web sites have been updated to properly handle
TLSv1.2, and except for a single site, I cannot reproduce the failures
with all of those listed in the previous bug reports.
Since TLSv1.2 should be enabled for the LTS release, I am re-enabling
it. This is the tracker bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1257877/+subscriptions
More information about the foundations-bugs
mailing list