What needs to be done to overcome the pinning issue with Apple mail (MAC mail)

Hi folks,

looking for some guidance on what needs to be done to the XG so that the XG CA meets Apple CA pinning requirements. The CA works fine for SMPTS and decrypt scanning in the web proxy, but not for iMAPS.

When you first enable iMAPS scanning the certificate asks for for permission to continue which if granted works for about 30 minutes before failing again.

Ian

Parents
  • Hi everyone, thank you for your feedback and your patience in this matter. As you know Apple have made some changes to the CA and cert requirements for iOS and MacOS. Briefly below these are summarised, and our response.

    Current Apple requirements for iOS 13 and MacOS 10.15:

    All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:

    • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
    • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

    Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

    • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
    • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

    Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

     

    We are tracking and fixing this issue in NC-55223 and the fix is currently timed for v18.0.1 (MR1) release.

Reply
  • Hi everyone, thank you for your feedback and your patience in this matter. As you know Apple have made some changes to the CA and cert requirements for iOS and MacOS. Briefly below these are summarised, and our response.

    Current Apple requirements for iOS 13 and MacOS 10.15:

    All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:

    • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
    • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

    Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

    • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
    • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

    Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

     

    We are tracking and fixing this issue in NC-55223 and the fix is currently timed for v18.0.1 (MR1) release.

Children