TLS 1.3 cannot be enforced for macOS/iOS applications
| Originator: | blochberger.max | ||
| Number: | rdar://50887327 | Date Originated: | 2019-05-17 |
| Status: | Resolved | Resolved: | 2020-11-20 |
| Product: | macOS, iOS | Product Version: | macOS 10.14.5, iOS 12.3 |
| Classification: | Reproducible: | yes |
When creating a new iOS/macOS application App Transport Security (ATS) is enabled by default. The default configuration enforces a minimum TLS version of TLS 1.2. If a developer wants to harden this configuration by enforcing TLS 1.3 connections, this is currently not possible. Assume that example.com supports TLS 1.3. When trying to enforce TLS 1.3 for example.com via ATS configuration or setting the minimum supported TLS protocol programmatically, all connections to example.com will fail. For applications only TLS 1.2 connections will be established, unless the maximum supported TLS protocol is set to `.tlsProtocol13` or `.tlsProtocolMaxSupported`. Command line applications on macOS behave differently. There is no ATS and TLS 1.3 connections will be established by default. TLS 1.3 can also not be enforced for them. See details and proof-of-concept code at https://gist.github.com/blochberger/8e98f768502283dccb245f7ca81a79f8 EDIT: Fixed with macOS 11 (Big Sur). Validated on macOS 11.0.1 (20B50). Resolved date approximate.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!