Can the (web)server compliant with ciphers in App Transport Security support additional ciphers ?

Question

zahidncst OP

Created Aug ’15

Replies 1

Boosts 0

Participants 2

Per https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/

below are the ciphers supported in IOS9

```
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
```
```
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
```
```
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
```
```
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
```
```
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
```
```
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
```
```
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
```
```
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
```
```
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
```
```
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
```
```
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
```

Does this mean that the Native App(in IOS9) support server supporting only above ciphers ? Also do they need to be at higher priority ?

What happens if the server supports additional ciphers(for supporting older Android Clients or Win clients), but those ciphers are kept at lower priority ?

Boost

Answer 1

DTS Engineer OP

Apple

Aug ’15

TLS cypher suite negotiation works (roughly) as follows:

The client sends a list of cypher suites that it supports to the server (via the Client Hello message).
From that list, the server tells the client which cypher suite that it likes the most (via the Server Hello message).

Given that design, your question doesn't make logical sense: iOS 9 will not include the insecure cypher suites in its Client Hello and so server's support for other cypher suites is irrelevant.

Share and Enjoy
—
Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0