No OS X Yosemite Server service supports TLS 1.1 or TLS 1.2
| Originator: | pepi.zawodsky | ||
| Number: | rdar://17417966 | Date Originated: | 23-Jun-2014 03:23 PM |
| Status: | Open | Resolved: | |
| Product: | OS X Server | Product Version: | 10.10b2 |
| Classification: | Security | Reproducible: | Always |
Summary: OS X Server services only support old and insecure protocols but not the current TLS version 1.2. Steps to Reproduce: Start any OS X service that supports encryption, like Mail, Webserver, XMPP, Calendar, Contacts, etc. Expected Results: In 2014 EVERY server component should be able to run TLS 1.2 and have that active as the default. Actual Results: Apple's OS X Server is stuck at TLS 1.0 which is not considered secure anymore making it impossible to use OS X Server on the internet and have services secured. Regression: This is likely connected to Apple refusing to upgrade OpenSSL from their ancient 0.9.8y version shipping with all supported OS X versions and all server services linked against this version which prevents secure services on OS X. Notes: I'm personally disgusted by Apple's loud announcements of caring for user's privacy (which would be a good thing) but then ignoring all those, now only considered marketing claims, by not delivering. Not supporting forward secrecy and current TLS versions is a huge oversight and a direct contribution to mass surveillance of OS X users.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!