On 06/01/14 21:02, Rob Stradling wrote:
On 06/01/14 20:40, Jeffrey Walton wrote:
<snip>
There's also an Apple SecureTransport bug workaround. Apple's
SecrureTransport does not properly negotiate ECDHE-ECDSA cipher
suites. It affects Mac OS X and could affect iOS. It might be prudent
to add SSL_OP_SAFARI_ECDHE_ECDSA_BUG by default.
http://www.mail-archive.com/[email protected]/msg32629.html.
Nginx doesn't yet support multiple server certs per site (e.g. 1 RSA
cert and 1 ECC cert), so SSL_OP_SAFARI_ECDHE_ECDSA_BUG isn't yet useful.
Actually I suppose that's not strictly true. Setting
SSL_OP_SAFARI_ECDHE_ECDSA_BUG would be useful today on any Nginx server
with an ECC cert and both ECDHE-ECDSA cipher(s) and ECDH-ECDSA cipher(s)
enabled. (I don't suppose there are many such servers!)
(I was working on a patch for multiple server certs a few months ago; I
hope to find time to complete this very soon).
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
