Server 5.0.3: does not support TLS 1.2
| Originator: | anfalas | ||
| Number: | rdar://22758266 | Date Originated: | 18-Sep-2015 05:46 PM |
| Status: | Open | Resolved: | |
| Product: | OS X Server | Product Version: | Server 5.0.3 (605) |
| Classification: | Security | Reproducible: | Always |
Summary: OS X Server Version 5 does still not provide TLSv1.2 Steps to Reproduce: openssl ciphers -v "TLSv1.2" Error in cipher list 77059:error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/ssl_ciph.c:813: apache can not use TLSv1.2 as SSLProtocol % nscurl --ats-diagnostics https://OSXSERVER.rrze.uni-erlangen.de Starting ATS Diagnostics Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://OSXSERVER.rrze.uni-erlangen.de. A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error. Use '--verbose' to view the ATS dictionaries used and to display the error received in URLSession:task:didCompleteWithError:. ================================================================================ Default ATS Secure Connection --- ATS Default Connection 2015-09-18 17:43:31.818 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9824) 2015-09-18 17:43:31.819 nscurl[45938:3550240] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) Result : FAIL --- ================================================================================ Allowing Arbitrary Loads --- Allow All Loads Result : PASS --- ================================================================================ Configuring TLS exceptions for OSXSERVER.rrze.uni-erlangen.de --- TLSv1.2 2015-09-18 17:43:32.030 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9824) 2015-09-18 17:43:32.030 nscurl[45938:3550240] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) Result : FAIL --- --- TLSv1.1 2015-09-18 17:43:32.033 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9824) 2015-09-18 17:43:32.034 nscurl[45938:3550240] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) Result : FAIL --- --- TLSv1.0 2015-09-18 17:43:32.037 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9824) 2015-09-18 17:43:32.037 nscurl[45938:3550240] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824) Result : FAIL --- ================================================================================ Configuring PFS exceptions for OSXSERVER.rrze.uni-erlangen.de --- Disabling Perfect Forward Secrecy 2015-09-18 17:43:32.040 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9801) 2015-09-18 17:43:32.040 nscurl[45938:3550240] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801) Result : FAIL --- ================================================================================ Configuring PFS exceptions and allowing insecure HTTP for OSXSERVER.rrze.uni-erlangen.de --- Disabling Perfect Forward Secrecy and Allowing Insecure HTTP 2015-09-18 17:43:32.044 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9801) 2015-09-18 17:43:32.055 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9801) 2015-09-18 17:43:32.058 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9801) 2015-09-18 17:43:32.058 nscurl[45938:3550240] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801) Result : FAIL --- ================================================================================ Configuring TLS exceptions with PFS disabled for OSXSERVER.rrze.uni-erlangen.de --- TLSv1.2 with PFS disabled 2015-09-18 17:43:32.062 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9801) 2015-09-18 17:43:32.062 nscurl[45938:3550240] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801) Result : FAIL --- --- TLSv1.1 with PFS disabled 2015-09-18 17:43:32.066 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9801) 2015-09-18 17:43:32.066 nscurl[45938:3550240] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801) Result : FAIL --- --- TLSv1.0 with PFS disabled Result : PASS --- ================================================================================ Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for OSXSERVER.rrze.uni-erlangen.de --- TLSv1.2 with PFS disabled and insecure HTTP allowed 2015-09-18 17:43:32.131 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9801) 2015-09-18 17:43:32.165 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9801) 2015-09-18 17:43:32.168 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9801) 2015-09-18 17:43:32.169 nscurl[45938:3550240] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801) Result : FAIL --- --- TLSv1.1 with PFS disabled and insecure HTTP allowed 2015-09-18 17:43:32.172 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9801) 2015-09-18 17:43:32.175 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9801) 2015-09-18 17:43:32.178 nscurl[45938:3550240] CFNetwork SSLHandshake failed (-9801) 2015-09-18 17:43:32.178 nscurl[45938:3550240] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801) Result : FAIL --- --- TLSv1.0 with PFS disabled and insecure HTTP allowed Result : PASS --- ================================================================================ Expected Results: Since iOS 9 and OS X 10.11 both are trying to make a big step on security (e.g. TLSv1.2 needed for 802.1x) one would expect Apples own products would do the same
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!