How to update Server 5 to TLS 1.2?

  1. Go to http://www.apple.com/feedback and send feedback demanding that they update Server and OS X to support TLS 1.2. It's ridiculous that they don't, especially considering that in iOS 9 and El Capitan they require that Apple developers release software that only talks to TLS 1.2 servers. Even if you could patch Server to work with TLS 1.2, what happens when Apple updates Server again, and it still doesn't support TLS 1.2? When you install that update, will it overwrite whatever you put into place?

  2. In the mean time, the only real option you have, I guess, is to install OpenSSL 1.0.1 or later, download the Apache source code, and then build it linking against OpenSSL 1.0.1, and then replace OS X's Apache with the one you just built. That will almost certainly require disabling System Integrity Protection because you can't modify the core OS files like apache2. You might be able to get away with just swapping out mod_ssl.so after you do your build. But it's ridiculous that we'd even have to resort to this! Apple needs to fix this!!! (see https://serverfault.com/questions/265556/upgrade-openssl-mod-ssl-on-mac-os-x-server)

  3. Download VirtualBox, and install CentOS or another security-enhanced Linux flavor, and just run your server out of that on the Mac. Because, evidently, Apple CBA to chew gum and walk at the same time.

UPDATE:

Here are the exact steps that I did to get (2.) above to work.

This gets OS X Server 5 to work with TLS 1.2 and forward secrecy on 10.11.1, making ATS perfectly happy (especially if you're a developer this is really cool).

  1. Install Homebrew and brew install openssl, brew install PCRE
  2. Download the latest source for Apache, apr, and apr-util
  3. Extract Apache source into /usr/local/src/httpd-2.4.17
  4. Extract apr and apr-util archives to /usr/local/src/httpd-2.4.17/srclib/apr and /usr/local/src/httpd-2.4.17/srclib/apr-util
  5. Replace the character "+" with the word "apache2" in the files config.layout inside the apr and apr-util dirs
  6. In Terminal, execute the following commands:

    cd /usr/local/src/httpd-2.4.17
    CFLAGS="-arch x86_64"
    ./configure --prefix=/usr/local/apache-2.4.17 --with-included-apr --with-included-apr-util -with-mpm=prefork --with-ssl=/usr/local/opt/openssl --enable-mods-shared=reallyall --enable-layout=Darwin
    make
    make install
    
  7. Copy mod_hfs_apple.so, mod_authnz_ldap.so, and mod_ldap.so from /usr/libexec into /usr/local/apache-2.4.17/libexec/apache2/

  8. Disable SIP: Restart into Recover mode (command-R), open Terminal, and type csrutil disable. (This allows you to be able to make changes inside the /usr/sbin and /usr directories, necessary to swap out the insecure default Apache with the new secure one you'll be building.)
  9. Restart back into normal mode, open Terminal, and type the following commands:

    sudo mv /usr/sbin/httpd /usr/sbin/httpd.old
    sudo mv /usr/libexec/apache2 /usr/libexec/apache2.old
    sudo ln -s /usr/local/apache-2.4.17/sbin/httpd /usr/sbin/httpd
    sudo ln -s /usr/local/apache-2.4.17/libexec/apache2/ /usr/libexec/apache2
    
  10. Re-enable SIP: restart into Recover mode, open Terminal, and type csrutil enable.
  11. Restart back into normal mode and download the latest source for PHP, then extract it to /usr/local/src/php-5.6.16 (or whatever version; 7.0 just came out, woot, but I don't know if it would break OS X Server's own uses of PHP)
  12. Configure PHP with the following command (modify as needed, but this worked for my LAMP stack with OS X Server 5):

    ln -s /usr/local/opt/openssl /usr/local/openssl
    cd /usr/local/src/php-5.6.16
    CFLAGS="-arch x86_64" 
    ./configure --with-openssl=/usr/local/opt/openssl --with-pcre-regex=/usr/local/opt/pcre --with-curl=/usr/bin/curl --enable-exif --with-mysql=/usr/local/mysql --with-mysql-sock=/tmp/mysql.sock --with-pdo-mysql --enable-opcache --with-apxs2=/usr/local/apache-2.4.17/bin/apxs --prefix=/usr/local/apache-2.4.17/php/ --enable-sockets --enable-zip --with-pear=/usr/local/apache-2.4.17/lib/php --enable-mbstring --with-mysqli
    make
    make install
    
  13. In a text editor, edit the file: /Library/Server/Web/Config/Proxy/servermgr_serviceproxy_customsites.plist Starting at line 65, perform these changes (lines to delete, new lines):

    SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"

    SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"

    SSLHonorCipherOrder On

    SSLProtocol -ALL +TLSv1

    SSLProtocol -SSLv2 -SSLv3

    SSLProxyProtocol -ALL +TLSv1

    SSLProxyProtocol -SSLv2 -SSLv3

  14. Next, make a similar change in apache_serviceproxy_customsites.conf, starting at line 13 (lines to delete, new lines):

    SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"

    SSLHonorCipherOrder On

    SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"

    SSLProtocol -ALL +TLSv1

    SSLProtocol ALL -SSLv2 -SSLv3

    SSLProxyProtocol -ALL +TLSv1

    SSLProxyProtocol ALL -SSLv2 -SSLv3

  15. Next, make the exact same changes as in step 14., in apache_serviceproxy.conf, starting at line 198.

  16. Start OS X server and run the following command to verify that you have succeeded: /usr/bin/nscurl --ats-diagnostics https :// [[your custom site's https url]] Note: the URL will obviously need to be formatted properly. I put an extra space in there before the colon because otherwise this post gets sent to moderation.

In my case ALL of the tests came back with a "PASS."

I can provide you a git patch file to make the changes to your .conf files assuming you still have a virgin install and you're on the same version as me.