HT201222: Apple security updates
Learn about Apple security updates
-
All replies
-
Helpful answers
-
Oct 23, 2015 7:04 AM in response to puzzellby chattphotos,TLS 1.2 is the current version, not 1.1
The Mac OS and iOS are up-to-date on the SSL/TLS versions, so in that, the devices are PCI compliant.
What is your setup like?
What web browser?
What tests are you performing?
Note, the SSL tester will crash the Chrome iOS browser, so only do it in Safari for now.
https://www.ssllabs.com/ssltest/viewMyClient.html
-
Oct 23, 2015 7:15 AM in response to chattphotosby puzzell,ok thanks, the broswer seems ok, but is mail on capital compatible and mail on ios. how can i test that please.
Thanks
-
Oct 23, 2015 7:38 AM in response to puzzellby chattphotos,For mail, it may be dependent on what the Mail server can support.
Contact the support team for your email system and set TLS to 1.2 (if not there already)
If you have no issues connecting to the server, then all is good.
-
Oct 23, 2015 7:45 AM in response to chattphotosby puzzell,yes tls 1.1 plus is working on the server, but mail on ios and osx wont connect when we turn off tls 1.0
-
Oct 23, 2015 7:53 AM in response to puzzellby chattphotos,Contact Apple accordingly for further troubleshooting.
-
Oct 26, 2015 4:24 AM in response to chattphotosby puzzell,The ports support the use of all three TLS versions as per the output of an NMAP against your IP below for port 993 and 465. The mail application not only has to support TLS1_1 and 1_2 but will also need to support the use of the available ciphers being used by the Server.
You would need to confirm with your email application provider if they support the below ciphers and if not what ciphers they require for TLS greater than 1.0. -
Oct 26, 2015 9:13 AM in response to puzzellby puzzell,The ports support the use of all three TLS versions as per the output of an NMAP against your IP below for port 993 and 465. The mail application not only has to support TLS1_1 and 1_2 but will also need to support the use of the available ciphers being used by the Server.
You would need to confirm with your email application provider if they support the below ciphers and if not what ciphers they require for TLS greater than 1.0.Please advise
-
Feb 8, 2016 9:20 AM in response to chattphotosby Martin R. Lerch,As of latest OS X 10.11 and latest iOS 9.2.1 the Mail apps that ship with OS X or iOS do not support TLS v1.1 or TLS v1.2. Not sure why Apple is doing this, and why they don't fix it, but the don't support it. MS Outlook for OS X or iOS do support TLS v1.1 and v1.2, but Outlook is not compatible with iCloud Calendar and Address book services. So disappointed that Apple can't fix this, or to allow MS to integrate with iCloud. I have been in touch with an Apple senior advisor since last year when PCI requirements stated that I have to get a waiver with an upgrade plan in place by sometime this year in order to continue using Apple
s Mail clients and the super old TLS v1.0. It's so last millennium!
Apple, please get with it and even if you feel that the TLS exposure found by PCI is only applicable for web browser access, just fix your software. Make it compliant with current industry standards. Thank you.
-
Feb 8, 2016 9:26 AM in response to Martin R. Lerchby modular747,Apple, please get with it
This is a user-to-user tech support forum. Apple doesn't read or respond to posts here. If you have something to suggest to Apple regarding iPhones, post it here: Apple - iPhone - Feedback
-
May 23, 2016 12:11 AM in response to Martin R. Lerchby Charlene Reese,I called Apple before disabling the lower TLS protocols on my server and was told of course Apple Mail will work with TLS v 1.2. I absolutely have to make my server PCI compliant by disabling TLS v1.0 which I have done as well as TLS v1.1. Now, none of my Mac devices can connect for outgoing mail SMTP to the mail server. I found a solution for my desktop and laptop computers by installing MS Outlook. Outlook is able to connect to the TLS v1.2 server just fine to send as well as receive mail. I hate to have to resort to using Outlook since I've always preferred Apple Mail. That said, I still have a huge problem. I have clients who also use Apple products who need to be able to send and receive mail with Apple Mail. They aren't going to be very happy about me telling them that now they need to go out and buy MS Outlook. PCI compliance isn't just about securing the browser.
Were any of you able to get Apple Mail working when only TLS v1.2 is enabled on the server ?
Thanks.
-
Jul 5, 2016 12:23 PM in response to puzzellby Martin R. Lerch,As of latest OS X 10.11.5 (15F34) and latest iOS 9.3.2 the Mail apps that ship I found out the following:
OS X mail seems to support TLS v1.1 and TLS v1.2 for incoming mail/IMAP on port 993 secure. I turned off TLS v1.0 on the mail server and the Mail client on OS X is still able to receive mail.
BUT
Also I have to revert back to TLS v1.0 because:
1. The OS X Mail client is still not able to send mail via port 465 secure. Sits in the outbox and does nothing.
2. iOS Mail is still not supporting anything above TLS v1.0! What the heck!!!!! Apple!
Mr. L
-
Jul 5, 2016 5:47 PM in response to puzzellby Martin R. Lerch,So found out more. According to this document here https://www.apple.com/business/docs/iOS_Security_Guide.pdf iOS Mail does support TLS 1.2 (and probably OS X Mail too). I am totally stumped why it is still not working though. The iOS mail client can't connect to the server when TLS 1.0 is disabled. I wonder why that is. Totally stunned. I did however find out something though. Look at the area where it says Cipher is, and then the cipher used. Could it be that my mail server is trying to use a TLS v1.0 cipher and that's why iOS and OS X Mail can't send or connect to IMAP server securely?:
...
[host2]# openssl s_client -connect mail.domain.com:587
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.domain.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.domain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFcTCCBFmgAwIBAgIRAJTBaqgKOaPAAc77yh9/NRowDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01P...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.domain.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 6095 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
...
-
Aug 31, 2016 7:49 AM in response to Martin R. Lerchby reichhart,Here's a method described how to test the available ciphers:
By stripping iterally the ciphers from the suite you'll get this preference:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ECDHE-RSA-AES256-SHA)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ECDHE-RSA-AES128-SHA)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (ECDHE-RSA-DES-CBC3-SHA)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (DHE-RSA-AES256-SHA)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (DHE-RSA-AES128-SHA)
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (EDH-RSA-DES-CBC3-SHA)
TLS_RSA_WITH_AES_256_CBC_SHA (AES256-SHA)
TLS_RSA_WITH_AES_128_CBC_SHA (AES128-SHA)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (DES-CBC3-SHA)
TLS_ECDHE_RSA_WITH_RC4_128_SHA (ECDHE-RSA-RC4-SHA)
TLS_RSA_WITH_RC4_128_SHA (RC4-SHA)
TLS_RSA_WITH_RC4_128_MD5 (RC4-MD5)
But on TLS CLIENT HELLO there are actually more ciphers announced (here: iOS 6 Apple Mail):
# ./show-cipher-preference 993;echo $?
Version: TLSv1
Record Length: 173
Message Length: 169
Version: TLSv1
ServerRandom, Time: 1472654266,
Wed Aug 31 16:37:46 2016
(time reversed:) 3136013911,
c/loJan ?. /(:.':,+ 1970
Session ID Length: 0
Cipher Suite Length: 88
0x00 0xFF TLS_EMPTY_RENEGOTIATION_INFO_SCSV
0xC0 0x24 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ECDHE-ECDSA-AES256-SHA384)
0xC0 0x23 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ECDHE-ECDSA-AES128-SHA256)
0xC0 0x0A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ECDHE-ECDSA-AES256-SHA)
0xC0 0x09 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ECDHE-ECDSA-AES128-SHA)
0xC0 0x07 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (ECDHE-ECDSA-RC4-SHA)
0xC0 0x08 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (ECDHE-ECDSA-DES-CBC3-SHA)
0xC0 0x28 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ECDHE-RSA-AES256-SHA384)
0xC0 0x27 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ECDHE-RSA-AES128-SHA256)
0xC0 0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ECDHE-RSA-AES256-SHA)
0xC0 0x13 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ECDHE-RSA-AES128-SHA)
0xC0 0x11 TLS_ECDHE_RSA_WITH_RC4_128_SHA (ECDHE-RSA-RC4-SHA)
0xC0 0x12 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (ECDHE-RSA-DES-CBC3-SHA)
0xC0 0x26 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
0xC0 0x25 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
0xC0 0x2A TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
0xC0 0x29 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
0xC0 0x04 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
0xC0 0x05 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
0xC0 0x02 TLS_ECDH_ECDSA_WITH_RC4_128_SHA
0xC0 0x03 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
0xC0 0x0E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
0xC0 0x0F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
0xC0 0x0C TLS_ECDH_RSA_WITH_RC4_128_SHA
0xC0 0x0D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
0x00 0x3D TLS_RSA_WITH_AES_256_CBC_SHA256 (AES256-SHA256)
0x00 0x3C TLS_RSA_WITH_AES_128_CBC_SHA256 (AES128-SHA256)
0x00 0x2F TLS_RSA_WITH_AES_128_CBC_SHA (AES128-SHA)
0x00 0x05 TLS_RSA_WITH_RC4_128_SHA (RC4-SHA)
0x00 0x04 TLS_RSA_WITH_RC4_128_MD5 (RC4-MD5)
0x00 0x35 TLS_RSA_WITH_AES_256_CBC_SHA (AES256-SHA)
0x00 0x0A TLS_RSA_WITH_3DES_EDE_CBC_SHA (DES-CBC3-SHA)
0x00 0x67 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (DHE-RSA-AES128-SHA256)
0x00 0x6B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (DHE-RSA-AES256-SHA256)
0x00 0x33 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (DHE-RSA-AES128-SHA)
0x00 0x39 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (DHE-RSA-AES256-SHA)
0x00 0x16 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (DHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA)
0xC0 0x06 TLS_ECDHE_ECDSA_WITH_NULL_SHA (ECDHE-ECDSA-NULL-SHA)
0xC0 0x10 TLS_ECDHE_RSA_WITH_NULL_SHA (ECDHE-RSA-NULL-SHA)
0xC0 0x01 TLS_ECDH_ECDSA_WITH_NULL_SHA
0xC0 0x0B TLS_ECDH_RSA_WITH_NULL_SHA
0x00 0x3B TLS_RSA_WITH_NULL_SHA256 (NULL-SHA256)
0x00 0x02 TLS_RSA_WITH_NULL_SHA (NULL-SHA)
0x00 0x01 TLS_RSA_WITH_NULL_MD5 (NULL-MD5)
Compression Methods Length: 1
Extensions Length: 40
Extension: 0x00 0x00, Extension Length: 18
Extension: 0x00 0x0A, Extension Length: 8, EC list: sect233k1 secp256r1 secp384r1 secp521r1
Extension: 0x00 0x0B, Extension Length: 2
0
It looks like the client (iOS Apple Mail) only announces TLS 1.2 ciphers but could only negotiate on TLS 1.0 ciphers with the server.
-
Sep 2, 2016 1:15 AM in response to puzzellby Martin R. Lerch,I Was told by an Apple senior enterprise advisor that they confirmed that OSX 10.11 (and prior) and iOS 9 and prior do not support TLS 1.1 or 1.2 when it comes to Apple Mail. However he said that MacOS Sierra (10.12?) and iOS 10 betas do support it. He also said that this may change in the final release, but I sure hope it will work in these versions. So, something to look forward to. He also said to sign up for the public beta and try it out, but I don't have a lot of spare time these days. Anyway, should be interesting.

