Apple Drops Support for SHA-1 Certificates in macOS Catalina and iOS 13

In a new support document, Apple has indicated that macOS Catalina and iOS 13 drop support for TLS certificates signed with the SHA-1 hash algorithm, which is now considered to be insecure. SHA-2 is now required at a minimum.

macos catalina safari
Apple says all TLS server certificates must comply with these new security requirements in macOS Catalina and iOS 13:

  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.

  • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.

  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Effective immediately, any connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in macOS Catalina and iOS 13, according to Apple.

Google, Microsoft, and Mozilla all deprecated SHA-1 certificates in 2017.

Tags: Safari, SHA-1
Related Forums: iOS 13, macOS Catalina

Popular Stories

space black mbp

Apple Potentially Facing Worst Leak Since iPhone 4 Was Left in a Bar

Monday October 7, 2024 3:03 pm PDT by
Alleged photos and videos of an unannounced 14-inch MacBook Pro with an M4 chip continue to surface on social media, in what could be the worst product leak for Apple since an employee accidentally left an iPhone 4 prototype at a bar in California in 2010. The latest video of what could be a next-generation MacBook Pro was shared on YouTube Shorts today by Russian channel Romancev768, just...
Alleged M4 MacBook Pro Leak Video

Alleged M4 MacBook Pro Unboxing Video Reveals These Four Upgrades

Sunday October 6, 2024 6:10 pm PDT by
An alleged unboxing video for an unannounced 14-inch MacBook Pro with the M4 chip was uploaded to YouTube today by Russian channel Wylsacom. The video was later linked to on social media platform X by Bloomberg's Mark Gurman. It is possible that this is the same MacBook Pro box shown in photos that were shared by leaker ShrimpApplePro in late September, as he claimed that this MacBook Pro...
M4 Real Feature Red

Gurman: Apple to Launch First M4 Macs and Potentially iPad Mini 7 on November 1

Sunday October 6, 2024 6:40 am PDT by
Apple will announce several new M4 Mac models around the end of October, with the company planning to launch at least some of them as soon as Friday, November 1, according to Bloomberg's Mark Gurman. Writing in his latest Power On newsletter, Gurman said that Apple will launch a new M4 version of its low-end 14-inch MacBook Pro, as well as higher-end 14-inch and 16-inch MacBook Pro models...
watchos 11 vitals

Apple Watch Users Report Vitals App Detecting Illness Before Symptoms Appear

Monday October 7, 2024 5:34 am PDT by
Apple's new Vitals app for watchOS 11 appears to be impressing some users with its ability to detect potential illness days before symptoms manifest, according to recent reports on Reddit. The Apple Watch app, which analyzes key health metrics measured during sleep over the last seven days, appears to be providing early warnings of impending sickness for at least some Apple Watch wearers...
Generic iOS 18

Apple Plans to Release iOS 18.1 With Apple Intelligence on October 28

Sunday October 6, 2024 6:18 am PDT by
Apple intends to launch iOS 18.1 with the first set of much-anticipated Apple Intelligence features on October 28, according to Bloomberg's Mark Gurman. Writing in the latest edition of his Power On newsletter, Gurman says the release date is arriving this month later than initially expected, as Apple is reportedly taking extra time to ensure a smooth rollout and prepare its AI cloud...
Generic iOS 18

Everything New in iOS 18.1 Beta 6

Monday October 7, 2024 4:27 pm PDT by
We're nearing the end of the iOS 18.1 beta testing process, but Apple is continuing to make tweaks to refine built-in features ahead of when the software launches. With testing winding down, there are fewer new additions, but Apple has made changes worth noting. The new beta is available for both developers and public beta testers. Control Center In the Control Center, Apple has added new...
iPad mini review thumb

iPad Mini 7 Coming Next Month: What to Expect

Tuesday October 8, 2024 6:16 am PDT by
Rumors strongly suggest Apple will release the seventh-generation iPad mini in November, nearly three years after the last refresh. Here's a roundup of what we're expecting from the next version of Apple's small form factor tablet, based on the latest rumors and reports. Design and Display The new iPad mini is likely to retain its compact 8.3-inch display and overall design introduced with...

Top Rated Comments

Sasparilla Avatar
70 months ago
Nice to see them doing this.

Planned obsolescence...smh...
For an insecure encryption algorithm? I would hope they'd deprecate it (following Google, Firefox etc.).
Score: 17 Votes (Like | Disagree)
SteveOfTheStow Avatar
70 months ago
For an insecure encryption algorithm? I would hope they'd deprecate it (following Google, Firefox etc.).
There was an implicit /s in vicviper789's post ;)
Score: 5 Votes (Like | Disagree)
keysofanxiety Avatar
70 months ago
Planned obsolescence...smh...
I know, it's a disgrace. Little known fact: very few websites work well on Netscape Navigator either :mad:
Score: 5 Votes (Like | Disagree)
Soba Avatar
70 months ago
Planned obsolescence...smh...
I get your point and share the frustration, but it's not warranted in this case.

Encryption algorithms have shelf lives, more or less. Weaknesses are periodically discovered that make them vulnerable to cracking or workarounds, as in this case. Generally these problems cannot be fixed in the way ordinary software is patched because the problems are not specific to any vendor and are simply fundamental flaws in the encryption mechanism; the only solution is abandonment of the encryption method and moving on to safer methods.

SHA-1 is over 25 years old and has been known to have problems since at least 2005. Deprecating encryption methods that are known to be too weak or vulnerable is the right thing to do, and if anything, this move is long overdue.
[doublepost=1559832487][/doublepost]
I know, it's a disgrace. Little known fact: very few websites work well on Netscape Navigator either :mad:
I miss Netscape. ;)

I have to laugh at the 40-bit encryption we used in the late 90s (32-bit in some parts of the world). It wasn't thought overly safe even at the time, but that seems just silly, today.
Score: 4 Votes (Like | Disagree)
darngooddesign Avatar
70 months ago
There was an implicit /s in vicviper789's post ;)
It’s impossible to tell if someone is being sincere or sarcastic on the internet; which is why we have ‘/s’.
Score: 4 Votes (Like | Disagree)
vicviper789 Avatar
70 months ago
Planned obsolescence...smh...
Score: 2 Votes (Like | Disagree)