No way to configure supported TLS cipher suites or protocols
| Originator: | pepi.zawodsky | ||
| Number: | rdar://15794311 | Date Originated: | 10-Jan-2014 08:41 PM |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | any |
| Classification: | Security | Reproducible: | Always |
Summary: OS X does not provide any interface or public means to configure which cipher suites are supported in OS X or its crypto stack. Steps to Reproduce: Search for a prefPanel or defaults command to configure which cipher suites are supported to turn off insecure and weak ciphers and protocols. Expected Results: There should be a UI to configure supported cipher suites and protocols. Actual Results: There is no way for a user to configure this via GUI, preferences in Safari.app, Mail.app or any defaults command at all. Regression: This sadly has never been supported in OS X. Notes: The currently very fast progressing crypto scene gives us new knowledge about ciphers becoming insecure almost on a daily basis now. Yet there is no way to turn off now-known-to-be-insecure ciphers like RC4 in OS X to secure one's operating system from adversaries. This results in OS X becoming a very insure platform overall and no way to mitigate this situation for users or system administrators.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!