While this is a "bug" pertaining to "security", it doesn't look like a vulnerability; rather, if I'm reading it right, it looks like a compat/interop flaw: if your app uses TLS client certificates (like 0.001% of all apps) to talk to a 3rd party server, and you use ECC ciphersuites, the iOS SecureTransport library aborts the TLS connection.<p>Here's how big a deal this bug is: the feature they're talking about apparently flat-out doesn't work, they were the first people to figure that out, and this bug is the only place on the Internet that currently documents the fact.<p>In other words: not necessarily that big of a deal.<p>It's too bad, I guess, because more mobile apps should take advantage of TLS client certs; custom code that talk TLS can use them much more easily than browsers can.
This is a bug in NSS. Here's the corresponding bug I filed against Chromium:
<a href="https://code.google.com/p/chromium/issues/detail?id=349775" rel="nofollow">https://code.google.com/p/chromium/issues/detail?id=349775</a>
If you're an iOS dev, would really appreciate a dupe of the rdar. It's been an issue for a long time, apparently, and Apple needs some pressure to fix it, or at the very least stop saying it works and document the error.<p>If you want to see the error in action, check out <a href="https://github.com/josephhainline/AppleBugTLSConnectionFailsWithEllipticCurveClientCert" rel="nofollow">https://github.com/josephhainline/AppleBugTLSConnectionFails...</a>