App Security NSExceptionRequiresForwardSecrecy Cipher suites incorrect
| Originator: | pepi.zawodsky | ||
| Number: | rdar://21534452 | Date Originated: | 2015-06-25 |
| Status: | Reopened | Resolved: | |
| Product: | OS X, iOS | Product Version: | 10.11, iOS 9.0/9.1 |
| Classification: | Security | Reproducible: | Always |
Summary: Regarding the new App Transport Security cipher suites for NSExceptionRequiresForwardSecrecy: The list of cipher suites is incorrect. https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html#//apple_ref/doc/uid/TP40016240-CH1-SW3 Steps to Reproduce: See NSExceptionRequiresForwardSecrecy documentation In Default Behavior the accepted cipher suites are listed as follows: The accepted ciphers are: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Due to the ECDHE handshake these cipher suites provide forward secrecy. (Which is GREAT and we always must require forward secrecy!) This list of cipher suites is missing TLS_DHE_* (non elliptic curve, Diffie Hellman Ephemeral) handshakes. Expected Results: I would expect, since „NSExceptionRequiresForwardSecrecy default is (correctly) set to YES that these cipher suites are also enabled since they definitely provide forward secrecy. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Prioritizing ECDHE over DHE suites is ok, since they are a little faster and need a little less CPU work which benefits clients with less processing power like Phones (compared to desktop/laptop computers) and also helps with high-latency networks like GSM/UMTS/LTE. But, these DHE suites must be included in accepted suites when NSExceptionRequiresForwardSecrecy is YES. Actual Results: When NSExceptionRequiresForwardSecrecy is set to NO cipher suites that definitely support forward secrecy are added in addition to those that do not provide any FS (plain RSA handshakes). These cipher suites should be in the forward secrecy list: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA These ciphers are correctly added for NSExceptionRequiresForwardSecrecy NO. TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA Version: iOS 9 Notes: Configuration: n/a Attachments:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!