User profile for user: Miraculix_der_Kräuterboss
Miraculix_der_Kräuterboss Author
User level: Level 1
13 points

calendarserver only supports SSLv3

Hello,

I wonder why my iCal Server only Supports SSLv3. I didn't found any configuration for this. I'd rather like to use TLS1.0 and block any SSLv3.

(Looked in /Library/Server/Calendar\ and\ Contacts/Config/caldavd-system.plist)


% nmap --script ssl-enum-ciphers -p 8443 cal.xxx.de


Starting Nmap 5.51 ( http://nmap.org ) at 2014-10-16 16:28 CEST


Host is up (0.0011s latency).

PORT STATE SERVICE

8443/tcp open https-alt

| ssl-enum-ciphers:

| SSLv3

| Ciphers (6)

| TLS_RSA_WITH_3DES_EDE_CBC_SHA

| TLS_RSA_WITH_AES_128_CBC_SHA

| TLS_RSA_WITH_AES_256_CBC_SHA

| TLS_RSA_WITH_RC4_128_MD5

| TLS_RSA_WITH_RC4_128_SHA

| TLS_RSA_WITH_SEED_CBC_SHA

| Compressors (1)

|_ uncompressed



BTW:

# openssl version

OpenSSL 0.9.8y 5 Feb 2013


Shouldn't Apple take any action on this? I feel uncomfortable using OSX Server while not being able to serve something > TLS1.0 without updateing openssl myself.


Thanks in advance!

Mac mini, OS X Mavericks (10.9.5)

Posted on Oct 16, 2014 8:22 AM

Reply
3 replies
User profile for user: Ric91
Ric91
User level: Level 1
9 points

Jan 12, 2017 2:36 AM in response to Jornix

Thanks a lot Jornix, this worked perfectly for me.


Problem in my situation was a client connecting with ical on OS X 10.11 and macOS 10.12 to OS X Server 2.2.2 running on 10.8.

Those clients will not connect to old server versions running SSLv3 only, so enable TLS will bring connect the newer clients perfectly.


Great work!

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Oct 16, 2014 8:25 PM in response to Miraculix_der_Kräuterboss

Apple posted the following updates that include a fix for the SSLv3 "Poodle" issue:


Yosemite 10.10

Security Update 2014-005 Mavericks

Security Update 2014-005 Mountain Lion

as well as updates for all currently supported Servers (4.0, 3.2.2, 2.2.5)


All of them contain the following:


Secure Transport

Impact: An attacker may be able to decrypt data protected by SSL

Description: There are known attacks on the confidentiality of SSL

3.0 when a cipher suite uses a block cipher in CBC mode. An attacker

could force the use of SSL 3.0, even when the server would support a

better TLS version, by blocking TLS 1.0 and higher connection

attempts. This issue was addressed by disabling CBC cipher suites

when TLS connection attempts fail.

CVE-ID

CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of

Google Security Team


It would appear that your browsers will show "maybe vulnerable" on the poodletest site, so my guess is that OS X will prevent all apps from using SSLv3 even if they would otherwise be capable of doing so. This will protect other apps, such as e-mail clients that are also normally able to use SSLv3.

Reply
User profile for user: Jornix
Jornix
User level: Level 1
19 points

Feb 3, 2016 8:23 AM in response to Miraculix_der_Kräuterboss

Calendarserver defaults to SSLv3 only.

To enable TLS, you have to add the following sectino to caldav.plist (below the SSL enable):


<!-- SSL Method -->

<key>SSLMethod</key>

<string>TLSv1_METHOD</string>


This enables El Capitan to use calendarserver vor Caldav again.


I found this by reverse engineering, i could not find any hint about this online, so this is probably a first.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

calendarserver only supports SSLv3

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up