User profile for user: Chad954
Chad954 Author
User level: Level 1
14 points

Configuring TLS 1.3 and eliminating weak ciphers on Mac mini M2 macOS Sequoia

I would like to know how to edit the TLS/SSL ciphers that my Mac mini M2 Sequoia 15.6 OS uses.


I have TLS 1.3 enabled using "defaults write /Library/Preferences/com.apple.networkd tcp_connect_enable_tls13 1" command line.


However whenever I sent an email using Apple Mail to my email server it only encrypts it using TLS 1.2 when it should use the strongest TLS 1.3 available.


It says I'm using:

LibreSSL 3.3.6

built on: date not available

platform: information not available

options:  bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) blowfish(idx) 

compiler: information not available

OPENSSLDIR: "/private/etc/ssl"


I want to eliminate the following weak ciphers (see PNG attached).


What command lines do I use and how to I force MAC OS to use TLS 1.3 FIRST instead of TLS 1.2???




[Re-Titled by Moderator]

Original Title: HOW TO ELIMINATE WEAK TLS/SSL CIPHERS ON MACOS SEQUOIA

Mac mini, macOS 15.6

Posted on Jul 30, 2025 1:23 PM

Reply
7 replies
User profile for user: Mac Jim ID
Mac Jim ID
Community+ 2026
User level: Level 9
74,028 points

Jul 30, 2025 2:07 PM in response to Chad954

By default Mail with Mac OS 15 is going to use TLS 1.3 when available on the Mail Server.


The only time you would need to use that Terminal command is if you previously changed it. The handshake between your email server is going to negotiate the strongest encryption value available. Are you managing the email server yourself where it is running LibreSSL 3.3.6?

Reply
User profile for user: Chad954
Chad954 Author
User level: Level 1
14 points

Jul 30, 2025 2:28 PM in response to MrHoffman

I agree with you completely but that is NOT what's happening.


Here is what the mail server is offering - yes I run it myself. yes it is postfix and it is configured to use the server preferred cipher order which is:

TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256





Reply
User profile for user: Chad954
Chad954 Author
User level: Level 1
14 points

Jul 30, 2025 2:34 PM in response to Mac Jim ID

Here is the header from Apple Mail via my server:

Received: from smtpclient.apple (unknown [10.25.1.18])

(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))

(No client certificate requested)

by mercury2021.mercuryemail.net (Postfix) with ESMTPSA id 5F248180143





Here is the analysis of my server which shows server preferred TLS 1.3 preferences:


https://www.immuniweb.com/ssl/mercury2021.mercuryemail.net/Ttde8JYx/

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Configuring TLS 1.3 and eliminating weak ciphers on Mac mini M2 macOS Sequoia

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up