contrib: add SSL BEAST mitigation patch for Adium
authorStefan Becker <chemobejk@gmail.com>
Sat, 16 Nov 2013 12:30:04 +0000 (16 14:30 +0200)
committerStefan Becker <chemobejk@gmail.com>
Sat, 16 Nov 2013 14:17:15 +0000 (16 16:17 +0200)
Improved version of the patch from the bug ticket discussion:

   http://sourceforge.net/p/sipe/bugs/216/

(cherry picked from commit 051f516f39fb099f58f6f6911f7151ed96560756)

contrib/adium-patches/README.txt [new file with mode: 0644]
contrib/adium-patches/adium-1.5.8-disable-ssl-mitigation.patch [new file with mode: 0644]

diff --git a/contrib/adium-patches/README.txt b/contrib/adium-patches/README.txt
new file mode 100644 (file)
index 0000000..fc316d9
--- /dev/null
@@ -0,0 +1,38 @@
+After upgrading to Mavericks SIPE always fails with "Read Error"
+================================================================
+
+Apple enabled SSL BEAST mitigation by default in Mac OS X 10.9 (Mavericks):
+
+   <https://community.qualys.com/blogs/securitylabs/2013/10/31/apple-enabled-beast-mitigations-in-os-x-109-mavericks>
+
+This causes an interoperability problem for SIPE, because there are are still
+Microsoft servers out there whose SSL stacks drop connections when the SSL
+stack on the client implements the standard 1/N-1 packet split to mitigate
+against SSL BEAST attacks:
+
+    <http://sourceforge.net/p/sipe/wiki/Frequently%20Asked%20Questions/#connection-problems>
+
+There is a system preference option in Mac OS X 10.9 to disable SSL BEAST
+mitigation for all SSL connections:
+
+   $ sudo defaults write /Library/Preferences/com.apple.security SSLWriteSplit -integer 0
+
+Unfortnately there is a bug in Mac OS X 10.9 which causes the SSL stack to
+ignore this setting:
+
+   <rdar://15432593>
+
+The only known working fix is to patch the SSL CDSA module in the Adium source
+tree to disable the SSL BEAST mitigation for all SSL connection create by the
+"prpl-sipe" plugin. Download the Adium source code, unpack it and then apply
+the patch to it:
+
+   $ cd adium-1.5.8
+   $ patch -p1 </path/to/sipe/source/contrib/adium-patches/adium-1.5.8-disable-ssl-mitigation.patch
+
+Then follow the standard Adium instruction to build it.
+
+
+Detailed discussion about the SSL BEAST mitigation problem on Mac OS X 10.9:
+
+   http://sourceforge.net/p/sipe/bugs/216
diff --git a/contrib/adium-patches/adium-1.5.8-disable-ssl-mitigation.patch b/contrib/adium-patches/adium-1.5.8-disable-ssl-mitigation.patch
new file mode 100644 (file)
index 0000000..007a6a9
--- /dev/null
@@ -0,0 +1,32 @@
+diff -r 9c8daca7bb8b Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c
+--- a/Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c   Wed Oct 23 16:08:03 2013 +0200
++++ b/Plugins/Purple Service/libpurple_extensions/ssl-cdsa.c   Sat Nov 16 14:28:04 2013 +0200
+@@ -37,6 +37,7 @@
+ //#define CDSA_DEBUG
++#import <Availability.h>
+ #import <Security/Security.h>
+ #import <unistd.h>
+@@ -504,6 +505,20 @@
+         protoErr = SSLSetProtocolVersionEnabled(cdsa_data->ssl_ctx, kTLSProtocol1, true);
+     }
+     
++    if (!strcmp(purple_account_get_protocol_id(account),"prpl-sipe")) {
++        purple_debug_info("cdsa", "Explicitly disabling SSL BEAST mitigation for Microsoft Lync 2010 connections\n");
++
++        OSStatus protoErr;
++#if __MAC_OS_X_VERSION_MAX_ALLOWED <= 1090
++#define kSSLSessionOptionSendOneByteRecord 4 /* appears in 10.9 */
++#endif
++
++        protoErr = SSLSetSessionOption(cdsa_data->ssl_ctx, kSSLSessionOptionSendOneByteRecord, false);
++        if (protoErr != noErr) {
++            purple_debug_info("cdsa", "SSLSetSessionOption failed to disable SSL BEAST mitigation\n");
++        }
++    }
++
+     if(gsc->host) {
+         /*
+          * Set the peer's domain name so CDSA can check the certificate's CN