Apple has completely disabled the SHA-1 certificates in iOS 13 and macOS 10.15

As early as 2017, Google confirmed that the SHA-1 TLS certificates were no longer secure. Then Microsoft and the Mozilla also agreed with Google’s proof experiment. Since then, Google, Microsoft, and Mozilla have been actively abandoning the old hash algorithm to improve security, but Apple has no positive attitude towards this consensus. Until now, Apple only thought it was time to completely abandon the old hash algorithm. This requirement will be enforced from iOS 13 and macOS 10.15.

The latest requirements announced by Apple are as follows:

• TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
• TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
• TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

The above requirements will be implemented in iOS 13 with iPadOS 13 and macOS 10.15. All traffic that does not meet the requirements will cause network failure. When a user attempts to access these certificates using the Safari browser, it automatically intercepts and returns no trust, and the webmaster must replace the encryption certificate in advance.

In addition, there are similar requirements for in-app access and other connections, so app developers should also check if their certificates meet the requirements. For more information on the latest certificate algorithm requirements, please visit Apple’s official support page.

Via: Neowin