Hacker News new | past | comments | ask | show | jobs | submit login

Thanks for that.

I'm surprised to find that Apple's OSX Server (Mavericks) ships without TLS 1.1 or 1.2 support.

Are these not widely deployed? Or no sense of urgency since 1.0 isn't broken.




TLS 1.0 is definitely broken; TLS 1.1 introduced explicit per-record IVs for CBC mode.


How is TLS 1.0 broken? All I could find is BEAST, but that seems to be mitigated by client patches.

Interestingly Wkikipedia says that TLS 1.1 and 1.2 only have about 25% adoption on servers. Which is shocking if in fact TLS 1.0 is truly broken.


TLS 1.0 uses chained IVs, which is a protocol flaw. It also has an explicit protocol alert for decryption failures, which makes error oracle attacks simpler. TLS 1.0 is broken. It isn't catastrophically broken so far as we know now, but nobody should be deliberately preferring it.


IIRC they just ship Apache, so just follow the normal instructions for enabling perfect forward secrecy on Apache.


They ship Apache, but they only ship obsolescent (0.9.8) versions of OpenSSL. So their system Apache is built against OpenSSL 0.9.8y.


Thats rather unfortunate. I think you can use Homebrew to pull in newer stuff, though, but I haven't tried (I don't host stuff on my MBP, I use my Linux workstation for that).


I'm sure you could, but bear in mind that several OS X Server services are built on top of the system Apache and its configuration file structure, so you probably don't want to replace it with a package manager-built version if you rely on any of these services.

On the other hand, it wouldn't be too hard to build and install a version of the SSL module compatible with the system Apache linked against a newer OpenSSL version, however, and I wouldn't expect this to break Apple's services, at least not until you install an update that either breaks binary module compatability or clobbers your tweaked module configuration.

I don't use Homebrew, so I couldn't tell you if it's capable of building modules for the system Apache, but building the SSL module "by hand" for system Apache with Homebrew OpenSSL should be straightforward enough.


The point however is that for a few bucks Apple gives me a dead simple GUI to manage a few key services 'that just works'.

If I was inclined to download and compile libraries then I'd clearly be better off running a linux distro for complete control.


Apple still ships a server? Didn't know that.


Server software as an add on downloadable from the App Store on the Mac, not a physical server like XServe. They recommend a Mac Mini with two hard disks installed as a SOHO server but obviously aren't catering for large neworks - no hot-swappable drives or fancy RAID for example (unless you use an external Thunderbolt caddy). They're leaving that market to Windows AD and Linux (mostly Windows AD I suspect). Oddly, the server software on the Mac gets less and less features each release since Snow Leopard apparently. I think Ars Technica has a review of the server software, and is pretty in-depth.





Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: