BEAST SSL Mitigation in Mavericks causes SSL disconnects
|Reported by:||mlamb||Owned by:|
The BEAST SSL attack mitigations introduced in Mavericks (see http://threatpost.com/apple-turns-on-safari-beast-attack-mitigation-by-default-in-os-x-mavericks) causes SSL connections to buggy server implementations to disconnect:
15:38:16: (Libpurple: cdsa) receive failed (-9806): Connection reset by peer 15:38:16: (GLib): (15:38:16) cdsa: receive failed (-9806): Undefined error: 0
This is impacting some users of the SIPE plugin (https://sipe.sourceforge.net) due to Microsoft's SSL implementation.
Steps to reproduce
- Install Adium
- Install latest version of SIPE plugin (per SIPE site instructions)
- Connect to an OCS server with un-patched SSL implementation
- Attempt to send a message to a contact
- Adium disconnects (see Debug log with undefined cdsa error)
I expected that Adium wouldn't disconnect.
Adium disconnects with an undefined cdsa error
This only occurs with Adium running on Mavericks (10.9) due to the mitigations implemented in that OS version.
Apple introduced (also in Mavericks) an SSL Session Option that can be set on a per-session basis that disables or enables the mitigation. If set to disabled, this session option resolves the issue, so we just need to conditionally set that option on cdsa connections.
Stefan Becker (SIPE maintainer) and I have worked to create a patch for this (see attached).
Change History (19)
Changed 3 years ago by mlamb
comment:5 Changed 3 years ago by Thijs Alkemade <me@…>
- Resolution set to fixed
- Status changed from new to closed
comment:6 Changed 3 years ago by sphynx
- Milestone changed from Adium bugs to Adium 1.5.10
- Patch Status changed from Initially Included to Accepted