Let's Encrypt incompatibility with safari old version

I Encrypt use of fear on my websites, but unfortunately I have noticed that my HTTPS websites with Encrypt Let are not visible on the Safari browser over 6 version age (thus all versions of Windows and older versions for Mac), for example in 5 version of Safari this website www.immobiliarezzo.it is not visible.
Can I fix this in some way?

If not, please confirm this incompatibility and add this on its web page ( https://letsencrypt.org/docs/certificate-compatibility/ ).

Hi @massimo,

This problem is often caused by cryptographic settings on the web server (such as protocol versions and ciphersuites), rather than by the certificate itself.

According to
https://www.ssllabs.com/ssltest/analyze.html?d=www.immobiliarezzo.it

your server closed the connection before performing a TLS negotiation when the client tried to act like Safari 5. This could be due to some kind of firewall policy but perhaps is also a symptom of protocol version or ciphersuite mismatch. (I don’t know why the server would disconnect in this case instead of returning a TLS error message, but it’s possible.)

You can use a tool like

https://mozilla.github.io/server-side-tls/ssl-config-generator/

to find cryptographic settings for several web server applications that try to ensure compatibility with older client software.

I think it might have something to do with the fact Safari 5 only supports SSLv3 and TLSv1.0 and the current server configuration only supports TLSv1.1 and TLSv1.2.

The reason SSL Labs doesn't provide an useful error message is because it doesn't get a reason from the server at all. The server just disconnects without a SSL error:

1 local_ip     remote_ip   TCP 44476→https [SYN] Seq=0 Win=29040 Len=0 MSS=1452 SACK_PERM=1 TSval=6540488 TSecr=0 WS=128 74
2 remote_ip    local_ip    TCP https→44476 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1452 SACK_PERM=1 WS=128 66
3 local_ip     remote_ip   TCP 44476→https [ACK] Seq=1 Ack=1 Win=29056 Len=0                 54
4 local_ip     remote_ip   SSL Client Hello                                                    284
5 remote_ip    local_ip    TCP https→44476 [ACK] Seq=1 Ack=231 Win=30336 Len=0               60
6 remote_ip    local_ip    TCP https→44476 [RST, ACK] Seq=1 Ack=231 Win=30336 Len=0          60

Thanks for figuring that out, @Osiris!

@massimo, you can probably then get Safari 5 support by enabling the older protocols in your web server configuration. The Mozilla configuration generator may be able to help with this.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.