Regression of #16550 for Mountain Lion (Mac OS 10.8.5 - Security Update 2014-001 applied)
|Reported by:||mlamb||Owned by:|
|Milestone:||Adium 1.5.11||Component:||Adium Core|
|Patch Status:||Needs Dev Review|
Description (last modified by Robby)
The BEAST SSL attack mitigations introduced in Mavericks (see https://trac.adium.im/ticket/16550) have been back-ported to Mountain Lion (10.8.5) in the latest Security Update (2014-001).
Unfortunately, the code introduced in the resolution to issue 16550 did not take into account that the kSSLSessionOptionSendOneByteRecord option is defined differently for 10.8.5, and therefore the value is incorrect when compiled on a 10.8.5 machine.
Steps to reproduce
- Download Adium 1.5.10hg branch
- Install latest SIPE plugin
- Attempt a connection and conversation
Expected results are to see the following in the Adium log:
13:17:33: (GLib): (13:17:33) cdsa: Explicitly disabling SSL BEAST mitigation for broken server implementations 13:17:33: (Libpurple: cdsa) Explicitly disabling SSL BEAST mitigation for broken server implementations`
And to have continued connectivity.
Actually see the following in the Adium log:
01:00:36: (GLib): (01:00:36) cdsa: Explicitly disabling SSL BEAST mitigation for broken server implementations 01:00:36: (Libpurple: cdsa) Explicitly disabling SSL BEAST mitigation for broken server implementations 01:00:36: (GLib): (01:00:36) cdsa: SSLSetSessionOption failed to disable SSL BEAST mitigation 01:00:36: (Libpurple: cdsa) SSLSetSessionOption failed to disable SSL BEAST mitigation
And connections are dropped upon any inbound/outbound message.
This only occurs with Adium running on Mountain Lion (10.8.5) with the 2014-001 Security Update applied, due to the mitigations implemented in that OS version.
See related bug #16550
In order to fix this the #define section in ssl-cdsa.c::ssl_cdsa_create_context() needs to be updated to be:
#ifndef kSSLSessionOptionSendOneByteRecord // Defined in 10.9 SDK, but not in 10.8 SDK #if __MAC_OS_X_VERSION_MAX_ALLOWED > 1080 #define kSSLSessionOptionSendOneByteRecord 4 /* Appears in 10.9 as 4 */ #else #define kSSLSessionOptionSendOneByteRecord -1 /* Appears in 10.8.5 as -1 */ #endif #endif
Change History (13)
comment:1 Changed 12 months ago by Robby
- Description modified (diff)
- Patch Status changed from Initially Included to Needs Dev Review