AnsweredAssumed Answered

Where to find Apple OSX/IOS cipher suite data?

Question asked by Daniel Salzedo on Oct 16, 2015
Latest reply on Oct 20, 2015 by Daniel Salzedo

I'm doing TLS research at present and hope this is the right place to post this. I'm having a hard time finding official Apple documentation on what cipher suites they support. Unlike Microsoft, Google or Java they don't seem to have a single support page with a list of the cipher suites supported by OS or API version. I can of course get some of this from the Qualys SSL Labs - Projects / User Agent Capabilities page but this has not yet been updated to OSX 10.11/IOS 9. In addition this only shows the cipher suites reported as enabled when a client connects and not the full list of suites that may be supported but not enabled by default or exposed to browser applications.

 

Also, not being an Apple developer myself, I am confused by how they implement TLS at the API level. It appears they have both OpenSSL, CFNetwork and Secure Transport APIs available. (See Transmitting Data Securely) CFNetwork says it is "built on top of" Secure Transport but does not specify if cipher suite support is identical or a sub-set thereof. I assume the default Apple web browsers use Secure Transport but I have no idea if third-party browsers can chose to use OpenSSL instead.

 

Lastly I noticed in the iOS 9 Release Notes that Apple have disabled support for all RSA_DHE cipher suites. No reason is given for this but I assume it is because of the group/ephemeral key size issues that are becoming more prominent. (E.G.: How the NSA can break trillions of encrypted Web and VPN connections | Ars Technica.) Although I guess this is at least an official announcement and better than Google's recent removal of client support for the P521 (secp512r1) ECC curve in Chrome without any notice whatsoever.  (Issue 477623 - chromium - Security: With Chrome 42 Elliptic curves secp512r1 missing - An open-source project to help…)


Thanks,

Daniel.

Outcomes