When will IOS and OSX be compatible with TLS 1.1 and above we need to stop using TLS 1.0 for PCI compliance to pass.

Alternatively, you can use Thunderbird.

FYI, I realize this post is a few months old, but PCI Compliance is now mandating that 3DES be deactivated / removed now.

I just passed my PCI compliance but am having a **** of a time getting TLSv1.1 or v1.2 working on older Mac Mail installations.

I too have some laptops that can't be upgraded to macOS 10.12. To my knowledge, there is not system update for OS X 10.11 or older to allow Apple Mail client to support TLSv1.1 or v1.2, and therefore these older OS versions are not PCI compliant and can't be used anymore. And since Apple wants to sell new computers I highly doubt that they will do the right thing and bring out these updates for OS X 10.11 or older. Maybe switch to Microsoft Outlook on those machines. Outlook supports TLSv1.1 and 1.2.

TLS 1.2 is the current version, not 1.1

The Mac OS and iOS are up-to-date on the SSL/TLS versions, so in that, the devices are PCI compliant.

What is your setup like?

What web browser?

What tests are you performing?

Note, the SSL tester will crash the Chrome iOS browser, so only do it in Safari for now.

https://www.ssllabs.com/ssltest/viewMyClient.html

For mail, it may be dependent on what the Mail server can support.

Contact the support team for your email system and set TLS to 1.2 (if not there already)

If you have no issues connecting to the server, then all is good.

Contact Apple accordingly for further troubleshooting.

As of latest OS X 10.11 and latest iOS 9.2.1 the Mail apps that ship with OS X or iOS do not support TLS v1.1 or TLS v1.2. Not sure why Apple is doing this, and why they don't fix it, but the don't support it. MS Outlook for OS X or iOS do support TLS v1.1 and v1.2, but Outlook is not compatible with iCloud Calendar and Address book services. So disappointed that Apple can't fix this, or to allow MS to integrate with iCloud. I have been in touch with an Apple senior advisor since last year when PCI requirements stated that I have to get a waiver with an upgrade plan in place by sometime this year in order to continue using Apple

s Mail clients and the super old TLS v1.0. It's so last millennium!

Apple, please get with it and even if you feel that the TLS exposure found by PCI is only applicable for web browser access, just fix your software. Make it compliant with current industry standards. Thank you.

Apple, please get with it

This is a user-to-user tech support forum. Apple doesn't read or respond to posts here. If you have something to suggest to Apple regarding iPhones, post it here: Apple - iPhone - Feedback

I called Apple before disabling the lower TLS protocols on my server and was told of course Apple Mail will work with TLS v 1.2. I absolutely have to make my server PCI compliant by disabling TLS v1.0 which I have done as well as TLS v1.1. Now, none of my Mac devices can connect for outgoing mail SMTP to the mail server. I found a solution for my desktop and laptop computers by installing MS Outlook. Outlook is able to connect to the TLS v1.2 server just fine to send as well as receive mail. I hate to have to resort to using Outlook since I've always preferred Apple Mail. That said, I still have a huge problem. I have clients who also use Apple products who need to be able to send and receive mail with Apple Mail. They aren't going to be very happy about me telling them that now they need to go out and buy MS Outlook. PCI compliance isn't just about securing the browser.

Were any of you able to get Apple Mail working when only TLS v1.2 is enabled on the server ?

Thanks.

As of latest OS X 10.11.5 (15F34) and latest iOS 9.3.2 the Mail apps that ship I found out the following:

OS X mail seems to support TLS v1.1 and TLS v1.2 for incoming mail/IMAP on port 993 secure. I turned off TLS v1.0 on the mail server and the Mail client on OS X is still able to receive mail.

BUT

Also I have to revert back to TLS v1.0 because:

1. The OS X Mail client is still not able to send mail via port 465 secure. Sits in the outbox and does nothing.

2. iOS Mail is still not supporting anything above TLS v1.0! What the heck!!!!! Apple!

Mr. L

So found out more. According to this document here https://www.apple.com/business/docs/iOS_Security_Guide.pdf iOS Mail does support TLS 1.2 (and probably OS X Mail too). I am totally stumped why it is still not working though. The iOS mail client can't connect to the server when TLS 1.0 is disabled. I wonder why that is. Totally stunned. I did however find out something though. Look at the area where it says Cipher is, and then the cipher used. Could it be that my mail server is trying to use a TLS v1.0 cipher and that's why iOS and OS X Mail can't send or connect to IMAP server securely?:

...

[host2]# openssl s_client -connect mail.domain.com:587

CONNECTED(00000003)

depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root

verify return:1

depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority

verify return:1

depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA

verify return:1

depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.domain.com

verify return:1

---

Certificate chain

0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.domain.com

i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFcTCCBFmgAwIBAgIRAJTBaqgKOaPAAc77yh9/NRowDQYJKoZIhvcNAQELBQAw

gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO

BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD

VQQDEy1DT01P...

-----END CERTIFICATE-----

subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.domain.com

issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

---

No client certificate CA names sent

Server Temp Key: ECDH, prime256v1, 256 bits

---

SSL handshake has read 6095 bytes and written 373 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

...