Apple Drops Support for SHA-1 Certificates in macOS Catalina and iOS 13 - MacRumors
Skip to Content

Apple Drops Support for SHA-1 Certificates in macOS Catalina and iOS 13

by

In a new support document, Apple has indicated that macOS Catalina and iOS 13 drop support for TLS certificates signed with the SHA-1 hash algorithm, which is now considered to be insecure. SHA-2 is now required at a minimum.

macos catalina safari
Apple says all TLS server certificates must comply with these new security requirements in macOS Catalina and iOS 13:

  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.

  • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.

  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Effective immediately, any connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in macOS Catalina and iOS 13, according to Apple.

Google, Microsoft, and Mozilla all deprecated SHA-1 certificates in 2017.

Tags: Safari, SHA-1
Related Forums: iOS 13, macOS Catalina

Popular Stories

MacBook Pro Low Angle Wide Lens

macOS 27: Two More Changes Leaked Ahead of WWDC Next Month

Sunday May 10, 2026 9:45 am PDT by
macOS 27 will have a "slight redesign" compared to macOS Tahoe, along with an option to automatically group tabs in Safari, according to Bloomberg's Mark Gurman. In his Power On newsletter today, Gurman said the design changes will help to address some of the criticism surrounding macOS Tahoe's new Liquid Glass interface. In particular, the changes should improve overall readability....
Read Full Article34 comments
Apple Event Logo

Apple's Next Era Begins September 1

Thursday May 7, 2026 10:36 am PDT by
Apple recently announced that Tim Cook will be stepping down as CEO later this year, after 15 years of leading the company. Effective September 1, Apple's hardware engineering chief John Ternus will become the company's next CEO, while Cook will become executive chairman of Apple's board of directors. In his new role, Apple said Cook will assist with "certain aspects" of the company,...
Read Full Article
Instagram Feature 2

PSA: Instagram Encrypted Messaging Ends on Friday, May 8

Tuesday May 5, 2026 8:24 am PDT by
Instagram will remove end-to-end encryption for direct messages between users from May 8, 2026. When the date comes around, Meta will potentially be able to see the contents of all messages between users on the social media platform. Encrypting messages has been an optional feature in Instagram since 2023, but in March of this year the social media platform quietly updated a help page to say ...
Read Full Article54 comments

Top Rated Comments

S
Sasparilla
90 months ago
Nice to see them doing this.

Planned obsolescence...smh...
For an insecure encryption algorithm? I would hope they'd deprecate it (following Google, Firefox etc.).
Score: 17 Votes (Like | Disagree)
keysofanxiety Avatar
keysofanxiety
90 months ago
Planned obsolescence...smh...
I know, it's a disgrace. Little known fact: very few websites work well on Netscape Navigator either :mad:
Score: 5 Votes (Like | Disagree)
SteveOfTheStow Avatar
SteveOfTheStow
90 months ago
For an insecure encryption algorithm? I would hope they'd deprecate it (following Google, Firefox etc.).
There was an implicit /s in vicviper789's post ;)
Score: 5 Votes (Like | Disagree)
D
darngooddesign
90 months ago
There was an implicit /s in vicviper789's post ;)
It’s impossible to tell if someone is being sincere or sarcastic on the internet; which is why we have ‘/s’.
Score: 4 Votes (Like | Disagree)
Soba Avatar
Soba
90 months ago
Planned obsolescence...smh...
I get your point and share the frustration, but it's not warranted in this case.

Encryption algorithms have shelf lives, more or less. Weaknesses are periodically discovered that make them vulnerable to cracking or workarounds, as in this case. Generally these problems cannot be fixed in the way ordinary software is patched because the problems are not specific to any vendor and are simply fundamental flaws in the encryption mechanism; the only solution is abandonment of the encryption method and moving on to safer methods.

SHA-1 is over 25 years old and has been known to have problems since at least 2005. Deprecating encryption methods that are known to be too weak or vulnerable is the right thing to do, and if anything, this move is long overdue.
[doublepost=1559832487][/doublepost]
I know, it's a disgrace. Little known fact: very few websites work well on Netscape Navigator either :mad:
I miss Netscape. ;)

I have to laugh at the 40-bit encryption we used in the late 90s (32-bit in some parts of the world). It wasn't thought overly safe even at the time, but that seems just silly, today.
Score: 4 Votes (Like | Disagree)
L
lunarworks
90 months ago
I miss Netscape. ;)

I have to laugh at the 40-bit encryption we used in the late 90s (32-bit in some parts of the world). It wasn't thought overly safe even at the time, but that seems just silly, today.
Remember when encryption-enabled Netscape was considered a "munition", and was barred from export from the US, so they had a plaintext-only version for the rest of the world?
Score: 2 Votes (Like | Disagree)
Read All Comments