« Checking OCSP revocation using OpenSSL | Main | Bulletproof SSL and TLS March Update: Protocol Attacks »

SSL Labs: Testing for Apple's TLS authentication bug

February 24, 2014

On Friday, Apple released patches for iOS 6.x and 7.x, addressing a mysterious bug that affected TLS authentication. Although no further details were made available, a large-scale bug hunt ensued. This post on Hacker News pointed to the problem, and Adam Langley followed up with a complete analysis.

I've just released an update for the SSL Labs Client Test, which enables you to test your user agents for this vulnerability.

This bug affects all applications that rely on Apple's SSL/TLS stack, which probably means most of them. Applications that carry with them their own TLS implementations (for example, Chrome and Firefox) are not vulnerable. For iOS, it's not clear when the bug had been introduced exactly. For OS X, it appears that only OS X 10.9 Mavericks is vulnerable.

What you should do:

  • iOS 6.x and 7.x: Patches are available, so you should update your devices immediately.
  • OS X 10.9.x: Apple promised a fix would be available soon. Update as soon as it is released. The vulnerability has been fixed in 10.9.2. Update immediately.

Update (10 March 2014): If you want to build your own test (e.g., to deploy on your intranet), I have published the instructions here.

MY NEXT BOOK: If you like this blog post, you will love Bulletproof SSL and TLS. This book will contain everything you need to know about SSL and TLS for web application development and deployment, covering both theory and practice. It is available now for early access and preorder.

For a preview of the book, download and read my OpenSSL Cookbook ebook. It's free.