kenjakw

Q: Can't access mail server with SSLV3 and TLS1.0 disabled

I run an ecommerce website that requires PCI compliance.  My PCI scanner is telling me that I need to disable SSLv3 and TLS 1.0 to maintain compliance.  However, when I do that, neither my Mac Mail client, nor my iPhone are able to connect to the mail server.  I am assuming that means that they're using the out of date protocol that has been disabled.  I'm scratching my head as to why the latest patched OS (Mavericks & IOS 8.3) are unable to upgrade the protocol beyond those outdated and insecure ones.  I'm using IMAP port 993 in SSL and STMP on secure port 465.  Is there anything I can do to get my devices synching with my mail server short of making the server non-compliant with PCI? 

MacBook Pro (Retina, 15-inch, Mid 2014), OS X Mavericks (10.9.5)

Posted on May 15, 2015 9:44 AM

Close

Q: Can't access mail server with SSLV3 and TLS1.0 disabled

  • All replies
  • Helpful answers

  • by BobSpadger,

    BobSpadger BobSpadger May 29, 2015 1:52 AM in response to kenjakw
    Level 1 (0 points)
    May 29, 2015 1:52 AM in response to kenjakw

    I have just discovered this issue today as well.

     

    Using Kerio connect, I disabled TLS v1.0 and all my apple mail clients (all the way to Yosemite) dropped off. They were configured to use IMAPS on port 993 with SSL on etc.

     

    I could not find a way to get them to connect so had to re-enable TLS 1.0.

  • by mwf01,

    mwf01 mwf01 May 29, 2015 9:36 AM in response to kenjakw
    Level 1 (0 points)
    May 29, 2015 9:36 AM in response to kenjakw

    I discovered this on April 30th when I disabled TLSv1.0 for IMAP and SMTP connections on our mail server.  It broke all mail connectivity from our iPhones (8.3 12F70).  I confirmed via our mail server logs that iOS uses TLSv1.0 for connections to both IMAP and SMTP.  I also confirmed that Safari on the iPhone uses TLSv1.2 by visiting https://www.ssllabs.com/ssltest/viewMyClient.html It also supports SSL 3 and TLS 1.0, both of which are considered insecure.

     

    I disabled TLSv1.0 for all services except IMAP and SMTP.  Since you only have to pass the PCI scan once every three months I have a little more time before I have to disable TLSv1.0 for IMAP and SMTP or become non-compliant.

     

    Apple needs to fix this now or they are going to have a major issue on their hands.

  • by Eric Root,

    Eric Root Eric Root May 29, 2015 10:30 AM in response to mwf01
    Level 9 (72,634 points)
    iTunes
    May 29, 2015 10:30 AM in response to mwf01

    Send Apple feedback. They won't answer, but at least will know there is a problem. If enough people send feedback, it may get the problem solved sooner.

     

    Feedback

     

    Or you can use your Apple ID to register with this site and go the Apple BugReporter. Supposedly you will get an answer if you submit feedback.

     

    Feedback via Apple Developer

  • by BobSpadger,

    BobSpadger BobSpadger Jun 1, 2015 2:56 AM in response to Eric Root
    Level 1 (0 points)
    Jun 1, 2015 2:56 AM in response to Eric Root

    I've posted

     

    Can we find anyone who has apple mail running with TLS 1.1 or greater - it seems quite mad that apple would just use 1.0

  • by CGK_sys,

    CGK_sys CGK_sys May 12, 2016 7:03 AM in response to BobSpadger
    Level 1 (8 points)
    iPhone
    May 12, 2016 7:03 AM in response to BobSpadger

    how did you guys disable TLS 1.0 ?

     

    I'm using Mac OS X El Capitan with Server App 5.1