OS X 10.10.x violates RFC 7465 by offering RC4 as cipher
| Originator: | pepi.zawodsky | ||
| Number: | rdar://22761068 | Date Originated: | 18-Sep-2015 08:27 PM |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | 10.10.5 |
| Classification: | Security | Reproducible: | Always |
Summary: iOS 9 violates RFC 7465 by offering RC4 as cipher Steps to Reproduce: Connect to a test service (web server, mail server, XMPP, etc.) that only offers RC4 cipher suits. Expected Results: TLS Handshake must fail. Actual Results: OS X happily connects with an insecure cipher suite which use violates TLS standards 1.0, 1.1, 1.2. Regression: This should have been fixed in earlier OS X releases already, but is still present in OS X 10.10.x public release and 10.11 betas. Notes: RFC 7465 https://tools.ietf.org/html/rfc7465 TLS clients MUST NOT include RC4 cipher suites in the ClientHello message. TLS servers MUST NOT select an RC4 cipher suite when a TLS client sends such a cipher suite in the ClientHello message.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!