When will IOS and OSX be compatible with TLS 1.1 and above we need to stop using TLS 1.0 for PCI compliance to pass.

FYI, I realize this post is a few months old, but PCI Compliance is now mandating that 3DES be deactivated / removed now.

I just passed my PCI compliance but am having a **** of a time getting TLSv1.1 or v1.2 working on older Mac Mail installations.

I too have some laptops that can't be upgraded to macOS 10.12. To my knowledge, there is not system update for OS X 10.11 or older to allow Apple Mail client to support TLSv1.1 or v1.2, and therefore these older OS versions are not PCI compliant and can't be used anymore. And since Apple wants to sell new computers I highly doubt that they will do the right thing and bring out these updates for OS X 10.11 or older. Maybe switch to Microsoft Outlook on those machines. Outlook supports TLSv1.1 and 1.2.

TLS 1.2 is the current version, not 1.1

The Mac OS and iOS are up-to-date on the SSL/TLS versions, so in that, the devices are PCI compliant.

What is your setup like?

What web browser?

What tests are you performing?

Note, the SSL tester will crash the Chrome iOS browser, so only do it in Safari for now.

https://www.ssllabs.com/ssltest/viewMyClient.html

For mail, it may be dependent on what the Mail server can support.

Contact the support team for your email system and set TLS to 1.2 (if not there already)

If you have no issues connecting to the server, then all is good.

Contact Apple accordingly for further troubleshooting.

As of latest OS X 10.11 and latest iOS 9.2.1 the Mail apps that ship with OS X or iOS do not support TLS v1.1 or TLS v1.2. Not sure why Apple is doing this, and why they don't fix it, but the don't support it. MS Outlook for OS X or iOS do support TLS v1.1 and v1.2, but Outlook is not compatible with iCloud Calendar and Address book services. So disappointed that Apple can't fix this, or to allow MS to integrate with iCloud. I have been in touch with an Apple senior advisor since last year when PCI requirements stated that I have to get a waiver with an upgrade plan in place by sometime this year in order to continue using Apple

s Mail clients and the super old TLS v1.0. It's so last millennium!

Apple, please get with it and even if you feel that the TLS exposure found by PCI is only applicable for web browser access, just fix your software. Make it compliant with current industry standards. Thank you.

Apple, please get with it

This is a user-to-user tech support forum. Apple doesn't read or respond to posts here. If you have something to suggest to Apple regarding iPhones, post it here: Apple - iPhone - Feedback

I called Apple before disabling the lower TLS protocols on my server and was told of course Apple Mail will work with TLS v 1.2. I absolutely have to make my server PCI compliant by disabling TLS v1.0 which I have done as well as TLS v1.1. Now, none of my Mac devices can connect for outgoing mail SMTP to the mail server. I found a solution for my desktop and laptop computers by installing MS Outlook. Outlook is able to connect to the TLS v1.2 server just fine to send as well as receive mail. I hate to have to resort to using Outlook since I've always preferred Apple Mail. That said, I still have a huge problem. I have clients who also use Apple products who need to be able to send and receive mail with Apple Mail. They aren't going to be very happy about me telling them that now they need to go out and buy MS Outlook. PCI compliance isn't just about securing the browser.

Were any of you able to get Apple Mail working when only TLS v1.2 is enabled on the server ?

Thanks.

As of latest OS X 10.11.5 (15F34) and latest iOS 9.3.2 the Mail apps that ship I found out the following:

OS X mail seems to support TLS v1.1 and TLS v1.2 for incoming mail/IMAP on port 993 secure. I turned off TLS v1.0 on the mail server and the Mail client on OS X is still able to receive mail.

BUT

Also I have to revert back to TLS v1.0 because:

1. The OS X Mail client is still not able to send mail via port 465 secure. Sits in the outbox and does nothing.

2. iOS Mail is still not supporting anything above TLS v1.0! What the heck!!!!! Apple!

Mr. L

So found out more. According to this document here https://www.apple.com/business/docs/iOS_Security_Guide.pdf iOS Mail does support TLS 1.2 (and probably OS X Mail too). I am totally stumped why it is still not working though. The iOS mail client can't connect to the server when TLS 1.0 is disabled. I wonder why that is. Totally stunned. I did however find out something though. Look at the area where it says Cipher is, and then the cipher used. Could it be that my mail server is trying to use a TLS v1.0 cipher and that's why iOS and OS X Mail can't send or connect to IMAP server securely?:

...

[host2]# openssl s_client -connect mail.domain.com:587

CONNECTED(00000003)

depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root

verify return:1

depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority

verify return:1

depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA

verify return:1

depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.domain.com

verify return:1

---

Certificate chain

0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.domain.com

i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFcTCCBFmgAwIBAgIRAJTBaqgKOaPAAc77yh9/NRowDQYJKoZIhvcNAQELBQAw

gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO

BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD

VQQDEy1DT01P...

-----END CERTIFICATE-----

subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.domain.com

issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

---

No client certificate CA names sent

Server Temp Key: ECDH, prime256v1, 256 bits

---

SSL handshake has read 6095 bytes and written 373 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

...

Here's a method described how to test the available ciphers:

http://www.heise.de/forum/Mac-i/News-Kommentare/Verschluesselung-Apple-heuert-Kr ypto-Experten-zurueck/iOS-9-vollstaendige-CipherSuite-fuer-IMAP-gegen-OpenSSL-1- 0-1/posting-28680930/show/

By stripping iterally the ciphers from the suite you'll get this preference:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ECDHE-RSA-AES256-SHA)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ECDHE-RSA-AES128-SHA)

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (ECDHE-RSA-DES-CBC3-SHA)

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (DHE-RSA-AES256-SHA)

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (DHE-RSA-AES128-SHA)

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (EDH-RSA-DES-CBC3-SHA)

TLS_RSA_WITH_AES_256_CBC_SHA (AES256-SHA)

TLS_RSA_WITH_AES_128_CBC_SHA (AES128-SHA)

TLS_RSA_WITH_3DES_EDE_CBC_SHA (DES-CBC3-SHA)

TLS_ECDHE_RSA_WITH_RC4_128_SHA (ECDHE-RSA-RC4-SHA)

TLS_RSA_WITH_RC4_128_SHA (RC4-SHA)

TLS_RSA_WITH_RC4_128_MD5 (RC4-MD5)

But on TLS CLIENT HELLO there are actually more ciphers announced (here: iOS 6 Apple Mail):

# ./show-cipher-preference 993;echo $?

Version: TLSv1

Record Length: 173

Message Length: 169

Version: TLSv1

ServerRandom, Time: 1472654266,

Wed Aug 31 16:37:46 2016

(time reversed:) 3136013911,

c/loJan ?. /(:.':,+ 1970

Session ID Length: 0

Cipher Suite Length: 88

0x00 0xFF TLS_EMPTY_RENEGOTIATION_INFO_SCSV

0xC0 0x24 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ECDHE-ECDSA-AES256-SHA384)

0xC0 0x23 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ECDHE-ECDSA-AES128-SHA256)

0xC0 0x0A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ECDHE-ECDSA-AES256-SHA)

0xC0 0x09 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ECDHE-ECDSA-AES128-SHA)

0xC0 0x07 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (ECDHE-ECDSA-RC4-SHA)

0xC0 0x08 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (ECDHE-ECDSA-DES-CBC3-SHA)

0xC0 0x28 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ECDHE-RSA-AES256-SHA384)

0xC0 0x27 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ECDHE-RSA-AES128-SHA256)

0xC0 0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ECDHE-RSA-AES256-SHA)

0xC0 0x13 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ECDHE-RSA-AES128-SHA)

0xC0 0x11 TLS_ECDHE_RSA_WITH_RC4_128_SHA (ECDHE-RSA-RC4-SHA)

0xC0 0x12 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (ECDHE-RSA-DES-CBC3-SHA)

0xC0 0x26 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

0xC0 0x25 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

0xC0 0x2A TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

0xC0 0x29 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

0xC0 0x04 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

0xC0 0x05 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

0xC0 0x02 TLS_ECDH_ECDSA_WITH_RC4_128_SHA

0xC0 0x03 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

0xC0 0x0E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

0xC0 0x0F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

0xC0 0x0C TLS_ECDH_RSA_WITH_RC4_128_SHA

0xC0 0x0D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

0x00 0x3D TLS_RSA_WITH_AES_256_CBC_SHA256 (AES256-SHA256)

0x00 0x3C TLS_RSA_WITH_AES_128_CBC_SHA256 (AES128-SHA256)

0x00 0x2F TLS_RSA_WITH_AES_128_CBC_SHA (AES128-SHA)

0x00 0x05 TLS_RSA_WITH_RC4_128_SHA (RC4-SHA)

0x00 0x04 TLS_RSA_WITH_RC4_128_MD5 (RC4-MD5)

0x00 0x35 TLS_RSA_WITH_AES_256_CBC_SHA (AES256-SHA)

0x00 0x0A TLS_RSA_WITH_3DES_EDE_CBC_SHA (DES-CBC3-SHA)

0x00 0x67 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (DHE-RSA-AES128-SHA256)

0x00 0x6B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (DHE-RSA-AES256-SHA256)

0x00 0x33 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (DHE-RSA-AES128-SHA)

0x00 0x39 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (DHE-RSA-AES256-SHA)

0x00 0x16 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (DHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA)

0xC0 0x06 TLS_ECDHE_ECDSA_WITH_NULL_SHA (ECDHE-ECDSA-NULL-SHA)

0xC0 0x10 TLS_ECDHE_RSA_WITH_NULL_SHA (ECDHE-RSA-NULL-SHA)

0xC0 0x01 TLS_ECDH_ECDSA_WITH_NULL_SHA

0xC0 0x0B TLS_ECDH_RSA_WITH_NULL_SHA

0x00 0x3B TLS_RSA_WITH_NULL_SHA256 (NULL-SHA256)

0x00 0x02 TLS_RSA_WITH_NULL_SHA (NULL-SHA)

0x00 0x01 TLS_RSA_WITH_NULL_MD5 (NULL-MD5)

Compression Methods Length: 1

Extensions Length: 40

Extension: 0x00 0x00, Extension Length: 18

Extension: 0x00 0x0A, Extension Length: 8, EC list: sect233k1 secp256r1 secp384r1 secp521r1

Extension: 0x00 0x0B, Extension Length: 2

0

It looks like the client (iOS Apple Mail) only announces TLS 1.2 ciphers but could only negotiate on TLS 1.0 ciphers with the server.