Server 4.x violates RFC 7465 by offering RC4 as cipher
| Originator: | pepi.zawodsky | ||
| Number: | rdar://22761190 | Date Originated: | 18-Sep-2015 08:33 PM |
| Status: | Open | Resolved: | |
| Product: | OS X Server | Product Version: | 5.0.x |
| Classification: | Security | Reproducible: | Always |
Summary: Server 5.0.x violates RFC 7465 by offering RC4 as cipher Steps to Reproduce: Configure any OS X Service with TLS. Test offered service suites, for example with nmap. HTTPS: nmap --script ssl-cert,ssl-enum-ciphers -p 443 osx.example.com But the same issue applies for ANY service that is offered by ANY OS X Server version. This includes XMPP, Web, Wiki, Email, Profile manager, anything. (Calendar and Contacts are currently completely broken due to a failure of Server.app to configure the Proxyservice but they would also be vulnerable if that wasn't the case.) Expected Results: TLS Handshake must fail. Actual Results: OS X happily offers insecure RC4 cipher suite which violates TLS standards 1.0, 1.1, 1.2. Regression: This should have been fixed in Server 4.0.x, 4.1.x already. It is still present in Server 5.0.x running on any of Yosemite or El Capitan. Notes: RFC 7465 https://tools.ietf.org/html/rfc7465 TLS clients MUST NOT include RC4 cipher suites in the ClientHello message. TLS servers MUST NOT select an RC4 cipher suite when a TLS client sends such a cipher suite in the ClientHello message.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!