iOS 8.3 Email SSL Protocol/Cipher

mwfischer

I recently updated the SSL protocol/cipher list accepted by my mailserver to exclude TLSv1.0 since it is now considered a weak protocol.  This broke iOS' ability to send and receive mail.  After reviewing the mailserver logs I discovered that iOS uses TLSv1.0 : RC4-SHA to send and receive mail.  I did a browser check on http://ssllabs.com/ and it cofirms that Safari on the phone is using the updated TLSv1.2. Does anyone have a work around besides re-enabling TLSv1.0 on the mailserver which would reduce the security on the mailserver and cause it fail a PCI vulnerability scan?  Does anyone know when Apple is planning to update to a more secure protocol for email?

 

iPhone 6plus

iOS 8.3 (12F70)

mrlerch

So not only will it break iOS mail client, but also OS X 10.10.3 Mail client. I contacted Apple today and brought this issue to their attention. Regarding g your PCI compliance issue: you have until June 30th of 2015 to mitigate and upgrade from TLSv1.0. I would assume that you do not transmit cardholder data via email, right. So technically you may be ok. You really won't have a choice really until Apple adopts and upgrades their mail clients to support TLSv1.1 or TLSv1.2. I sure hope they will adopt rather sooner than later. Would make me fell better a whole lot.

So back to your PCI. Under PCI DSS 3.1 you can file for an exception, provided that you give them a Risk Mitigation and Migration Plan that outlines that you want to upgrade to TLSv1.1 or better as soon as you mail clients support that protocol. If you are using Trustkeeper / Trustwave then you can call them and ask for the plan template. That should help you craft an acceptable plan.

Anyway, you are not alone. I too would like to turn off TLSv1.0 but I'm afraid we have to wait. Or we could try Outlook for Mac and now for iOS and see if it will do TLSv1.1 or 1.2. Not sure...