Miraculix_der_Kräuterboss

Q: calendarserver only supports SSLv3

Hello,

I wonder why my iCal Server only Supports SSLv3. I didn't found any configuration for this. I'd rather like to use TLS1.0 and block any SSLv3.

(Looked in /Library/Server/Calendar\ and\ Contacts/Config/caldavd-system.plist)

 

% nmap --script ssl-enum-ciphers -p 8443 cal.xxx.de

 

Starting Nmap 5.51 ( http://nmap.org ) at 2014-10-16 16:28 CEST

 

Host is up (0.0011s latency).

PORT     STATE SERVICE

8443/tcp open  https-alt

| ssl-enum-ciphers:

|   SSLv3

|     Ciphers (6)

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA

|       TLS_RSA_WITH_AES_128_CBC_SHA

|       TLS_RSA_WITH_AES_256_CBC_SHA

|       TLS_RSA_WITH_RC4_128_MD5

|       TLS_RSA_WITH_RC4_128_SHA

|       TLS_RSA_WITH_SEED_CBC_SHA

|     Compressors (1)

|_      uncompressed

 

 

BTW:

# openssl version

OpenSSL 0.9.8y 5 Feb 2013

 

Shouldn't Apple take any action on this? I feel uncomfortable using OSX Server while not being able to serve something > TLS1.0 without updateing openssl myself.

 

Thanks in advance!

Mac mini, OS X Mavericks (10.9.5)

Posted on Oct 16, 2014 8:22 AM

Close

Q: calendarserver only supports SSLv3

  • All replies
  • Helpful answers

  • by MadMacs0,

    MadMacs0 MadMacs0 Oct 16, 2014 8:25 PM in response to Miraculix_der_Kräuterboss
    Level 5 (4,791 points)
    Oct 16, 2014 8:25 PM in response to Miraculix_der_Kräuterboss

    Apple posted the following updates that include a fix for the SSLv3 "Poodle" issue:

     

    Yosemite 10.10

    Security Update 2014-005 Mavericks

    Security Update 2014-005 Mountain Lion

    as well as updates for all currently supported Servers (4.0, 3.2.2, 2.2.5)

     

    All of them contain the following:

     

    Secure Transport

    Impact:  An attacker may be able to decrypt data protected by SSL

    Description:  There are known attacks on the confidentiality of SSL

    3.0 when a cipher suite uses a block cipher in CBC mode. An attacker

    could force the use of SSL 3.0, even when the server would support a

    better TLS version, by blocking TLS 1.0 and higher connection

    attempts. This issue was addressed by disabling CBC cipher suites

    when TLS connection attempts fail.

    CVE-ID

    CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of

    Google Security Team

     

    It would appear that your browsers will show "maybe vulnerable" on the poodletest site, so my guess is that OS X will prevent all apps from using SSLv3 even if they would otherwise be capable of doing so.  This will protect other apps, such as e-mail clients that are also normally able to use SSLv3.

  • by Jornix,

    Jornix Jornix Feb 3, 2016 8:23 AM in response to Miraculix_der_Kräuterboss
    Level 1 (23 points)
    Mac OS X
    Feb 3, 2016 8:23 AM in response to Miraculix_der_Kräuterboss

    Calendarserver defaults to SSLv3 only.

    To enable TLS, you have to add the following sectino to caldav.plist (below the SSL enable):

     

    <!-- SSL Method -->

    <key>SSLMethod</key>

    <string>TLSv1_METHOD</string>

     

    This enables El Capitan to use calendarserver vor Caldav again.

     

    I found this by reverse engineering, i could not find any hint about this online, so this is probably a first.