I was able to reproduce this by surfing to my website using Safari 4 (OSX 10.4.11). Safari can’t display the page at all. Apparently, this older Safari doesn’t know how to handle the SSL-configuration. I was able to fix my problem by putting the following into my .htaccess file:
SSLOptions +OptRenegotiate
My question is: does this make my setup less secure? Why isn’t this the default for Let’s Encrypt? Is there a better way to fix this?
your SSL settings for Apache 2.2 would be as follows:
# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
for Apache 2.4
# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Use the Mozilla generator to get the correct settings for your apache SSL
Sometimes older browsers require the use of technologies and features that have been discovered to be unsafe. That's a relatively common pattern and might be the case here. The legacy renegotiation method constitutes a security vulnerability (originally documented by Marsh Ray in 2009), which is why servers have removed support for it or suggested removing support for it. But it might be required by some older browers for compatibility. In this case, web site operators would have to choose between breaking compatibility and leaving some potential security vulnerabilities in place.
The defaults for Let's Encrypt are based on Mozilla's Intermediate profile, which currently says
Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
If allowing legacy renegotiation to be disabled breaks Safari 4, maybe the Mozilla profile compatibility claims are inaccurate?
Thanks for the very comprehensive and easy-to-understand reply! I’ve read about the attack vector (http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html) and I think it’s smart to disable this feature. I still don’t really understand why the SSL library reports an “Error”, when nothing goes wrong (a configurable setting works as intended)… But that’s not an issue with LetsEncrypt I guess.