Although you can easily verify the speed of individual ciphers on your own server from the command line, and that is no doubt the way to go if you want to be very precise about it, in my experience there is only a little performance difference between the main ones we’ll want to support anyway. What we can to do is disable RC4 ciphers and also prioritise those ciphers which offer Forward Secrecy and speedier processing times. Library/Server/Web/Config/Proxy/servermgr_serviceproxy_ist Library/Server/Web/Config/Proxy/apache_serviceproxy_nf plist used to build it, as I described in the earlier article “ Adjust the Apache Proxy in Server 5 for Higher Performance”: That line comes from the proxy’s custom sites configuration file and indirectly from the. SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM" By default, the Server app doesn’t specify any preferred cipher order - which means that slower or older ones may wind up being used first - and Apple also allows deprecated RC4 ciphers in the list: (It has now fallen so far behind that I’m fairly convinced either this type of radical overhaul is in the pipeline, or we’ll see the web service disappear completely in the next major version of Server.)īut until big changes arrive, we can at least make the best of what is available by tuning the cipher suite for performance, security, and Forward Secrecy, as well as by enabling OCSP stapling, as I described in “ Set Up OCSP Stapling on OS X Server”. I’m hopeful we’ll soon see Apple bring that portion of the server right into the modern age and with it, a whole slew of alphabet soup including both TLS 1.2 and HTTP/2. The situation is so bad that Apple’s own bots won’t even crawl a site provided over HTTPS with Apple’s own Server - because both AppleBot and AppleNewsBot require TLS 1.2! It’s more than a little ironic that Apple has been so quick to embrace more modern technologies in iOS and OS X while leaving the poor Server app to languish with TLS 1.0 and just a handful of suitable ciphers.Īpple’s move to a proxied architecture in version 5 of the Server app may be a first step toward a complete overhaul of the TLS side of how the server interacts with site visitors. Partly due to Apple’s deprecation of OpenSSL back in the days of OS X Lion, partly due to its slow pace of introducing its own replacement (Secure Transport) into the Server app’s web service, and partly due to the much quicker pace of just about everyone else in rolling out support for newer TLS technologies, those of us running HTTPS sites with Server start at an instant disadvantage. (Update, 25 March 2016: This article includes everything necessary for tuning cipher suites, but also see “ Server 5.1 Brings TLS 1.2 at Last” for more on important changes in Server 5.1.) As of version 5, the Server app still only supports TLS version 1.0 and a handful of suitable ciphers, but even within those constraints, we can improve the situation significantly by shutting off RC4 support and setting a preferred cipher order.