Err_connection_reset


#1

I have setup certificates for use with my IIS10 website https://foederer.info using letsencrypt-win-simple. Worked like a charm.
The site comes up in Edge OK, but not in Chrome and Firefox. I get ERR_CONNECTION_RESET. Must have something to do with the site’s setup, but cannot find out what the problem is.
Could somebody please get me going?


#2

It looks as if you have a very limited set of ciphers ( just 2 - ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256 ) which not all browsers / systems support - and if they don’t support it, you will get that error.


#3

Thanks for helping!
I indeed had only a few ciphers set. When I expand this to best practices in IISCrypto it’s OK in Firefox but in Chrome I get “Unsafe”.
Maybe some are blacklisted?
These are my cipher sets right now:


#4

https://mozilla.github.io/server-side-tls/ssl-config-generator/ is a good site for showing which ciphers etc are appropriate for your site ( depending on what you want to achieve ). You can also test at https://www.ssllabs.com


#5

The mozilla generator is the best, used it for generating ciphers for webs, mail and works like a charm :wink:


#6

The cause seems to be Mixed content. Some links to fonts in my website are not secure. I use BlogEngine.net and it seems to have insecure links I cannot control. So no problem with letsencrypt!
Thanks everyone.


#7

Use a CSP (content security policy) to specify which external resources are allowed to be loaded. If you use wordpress you can use this plugin for CSP https://wordpress.org/plugins/wp-content-security-policy/

You can see how one of my CSP’s looks like at https://redbot.org/?uri=https%3A%2F%2Fmitchellkrog.com

And then use this site to test and further strengthen your security headers

Don’t get a fright when you see a big red F, easy to fix and add all the required headers, wordpress plugins available for achieving all of this to get you an A score but stay away from HPKP altogether as it is not supported by LE and can brick your domain for good so don’t chase getting an A+. If it interests you I send the X headers using Nginx instead of a wordpress plugin and then use the CSP Plugin above to first run in logging mode, then create the rules needed and then enforce the policy.

For Nginx (in a server {} block)

 # Add X Headers
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";

You can then also double check your policy in Chrome by View > Developer > Developer Tools > Security then reloading your page(s) and see if it shows you any Non-Secure Origins. Here’s a write up I did on it


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.