How to Enable TLS Versions on macOS

[J800]

Hello Everyone,

I recently encountered a situation at a client's location where they've installed a new security device. This device requires a network connection that utilizes TLS 1.0 and 1.1 protocols. While I managed to enable these protocols on Windows machines by adjusting the Internet properties, I'm now facing a challenge with MacOS systems.

I'm aware that TLS 1.0 and 1.1 are considered outdated, but the necessity to connect to this security device onsite means we need to find a way to enable these protocols on MacOS as well. Given the diverse operating system usage among the personnel, it's essential we accommodate MacOS users too.

Could anyone guide me on how to check which TLS versions are currently enabled on MacOS, and more importantly, how to enable TLS 1.0 and 1.1 if they're not active? Is this even possible on MacOS?

I appreciate any insights or advice on this matter. Thank you in advance for your help.

Best regards,

 

[EugenDoga]

Enabling TLS 1.0 and 1.1 on macOS can be challenging due to their deprecation and security vulnerabilities. However, here's how you can check and potentially enable these protocols:

Checking Enabled TLS Versions​

To check the current TLS versions enabled on macOS:

1. Using Terminal and OpenSSL:
   • Open Terminal.
   • Enter the following command:
     openssl s_client -connect <server>:<port> -tls1
     Replace <server> and <port> with the appropriate values for your security device. This will check if TLS 1.0 is enabled.
   • Similarly, you can check for TLS 1.1 by replacing -tls1 with -tls1_1.

Enabling TLS 1.0 and 1.1​

Apple has been phasing out support for these protocols in its apps and services. However, you can attempt to enable them in specific applications that might still support them or use a workaround:

1. Configure Specific Applications:
   • For some browsers like Firefox, you can manually enable older TLS versions by entering about:config in the address bar and setting security.tls.version.min to 1.
2. Using Homebrew to Install OpenSSL with Support for Older TLS Versions:
   • Install Homebrew if you haven’t already:
     /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
   • Install OpenSSL:
     brew install (e-mail address removed)
   • Use the installed OpenSSL to connect with the required TLS version:
     /usr/local/opt/(e-mail address removed)/bin/openssl s_client -connect <server>:<port> -tls1

Workaround with a Proxy​

If direct support isn't possible, another approach is to set up a proxy server to downgrade the connection to TLS 1.0 or 1.1. Here’s a brief outline:

1. Set Up a Local Proxy with TLS Downgrade:
   • Use a tool like Nginx or Stunnel to create a proxy that downgrades the TLS connection.
   • Configure the proxy to connect to the security device using TLS 1.0 or 1.1 while your macOS systems connect to the proxy using a more modern TLS version.

Important Note on Security​

Enabling or using TLS 1.0 and 1.1 poses significant security risks. Ensure that this approach is only used temporarily and in a controlled environment. Encourage your client to update their security device to support newer TLS versions as soon as possible.
By following these steps, you should be able to connect your macOS systems to the security device using the required TLS protocols.