Safari doesn't support RFC5746 (has broken SSL renegotiation)

Originator:arthurp
Number:rdar://8696868 Date Originated:23-Nov-2010 12:24 PM
Status:Duplicate Resolved:
Product:Safari Product Version:5.0.3 (6533.19.4)
Classification:security Reproducible:always
 
Summary:
Safari still uses the old-style SSL renegotiation described in CVE-2009-3555 and http://www.phonefactor.com/sslgap/ .  Safari stops connecting to servers requiring renegotiation and certificates as soon as those servers stop allowing old-style renegotiation.

Steps to Reproduce:
1. Start with a fresh "login" Keychain

2. Obtain a client x.509 certificate
  if you don't have a CA handy: see http://foaf.me/Tests/simple_KEYGEN_CreateClientCertificate.php

3. Visit a page that does NOT require renegotiation on a site running Apache2 and OpenSSL 0.9.8 > 0.9.8m

4. Visit a page that DOES require renegotiation, again on a site running Apache2 and OpenSSL 0.9.8 > 0.9.8m 

Expected Results:
both 3. and 4. result in normal page loads

Actual Results:
3. loads normally
4. Safari shows the error 
  Safari can't open the page "https://HOST/PATH/" because Safari can't establish a secure connection to the server "HOST".

Regression:
Has never worked.

Notes:
It's been over a year since the CVE-2009-3555 was reported, and about 9 months since RFC 5746 was published.  As of this writing, Firefox, IE, Chrome, and Opera support RFC 5746, whereas people using Safari are locked out of certificate-protected content on servers/directories requiring renegotiation.

Comments

Thanks for the additional information

I'm going to post my own bug report and see if I get the same results. I'll keep you posted.

The radar interface tells me, under "Related Problem" for 8696868: This problem is: "duplicate of" ID: "7386571" State: "open".

I have no reason to believe that the issue has been resolved.

Ridley DiSiena

Has this bug been fixed. It appears it is still occurring in the latest builds of Safari as of 7-15-2011. Could someone provide the original bug report, since this is flagged as a duplicate?


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!