Let's Encrypt incompatibility with safari old version

massimo · March 23, 2017, 7:39am

I Encrypt use of fear on my websites, but unfortunately I have noticed that my HTTPS websites with Encrypt Let are not visible on the Safari browser over 6 version age (thus all versions of Windows and older versions for Mac), for example in 5 version of Safari this website www.immobiliarezzo.it is not visible.
Can I fix this in some way?

If not, please confirm this incompatibility and add this on its web page ( https://letsencrypt.org/docs/certificate-compatibility/ ).

schoen · March 23, 2017, 5:49pm

Hi @massimo,

This problem is often caused by cryptographic settings on the web server (such as protocol versions and ciphersuites), rather than by the certificate itself.

According to
https://www.ssllabs.com/ssltest/analyze.html?d=www.immobiliarezzo.it

your server closed the connection before performing a TLS negotiation when the client tried to act like Safari 5. This could be due to some kind of firewall policy but perhaps is also a symptom of protocol version or ciphersuite mismatch. (I don’t know why the server would disconnect in this case instead of returning a TLS error message, but it’s possible.)

You can use a tool like

https://mozilla.github.io/server-side-tls/ssl-config-generator/

to find cryptographic settings for several web server applications that try to ensure compatibility with older client software.

Osiris · March 23, 2017, 6:10pm

I think it might have something to do with the fact Safari 5 only supports SSLv3 and TLSv1.0 and the current server configuration only supports TLSv1.1 and TLSv1.2.

The reason SSL Labs doesn't provide an useful error message is because it doesn't get a reason from the server at all. The server just disconnects without a SSL error:

1 local_ip     remote_ip   TCP 44476→https [SYN] Seq=0 Win=29040 Len=0 MSS=1452 SACK_PERM=1 TSval=6540488 TSecr=0 WS=128 74
2 remote_ip    local_ip    TCP https→44476 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1452 SACK_PERM=1 WS=128 66
3 local_ip     remote_ip   TCP 44476→https [ACK] Seq=1 Ack=1 Win=29056 Len=0                 54
4 local_ip     remote_ip   SSL Client Hello                                                    284
5 remote_ip    local_ip    TCP https→44476 [ACK] Seq=1 Ack=231 Win=30336 Len=0               60
6 remote_ip    local_ip    TCP https→44476 [RST, ACK] Seq=1 Ack=231 Win=30336 Len=0          60

schoen · March 23, 2017, 6:27pm

Thanks for figuring that out, @Osiris!

@massimo, you can probably then get Safari 5 support by enabling the older protocols in your web server configuration. The Mozilla configuration generator may be able to help with this.

system · April 22, 2017, 6:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
2 Problems with my certificate Help	27	3418	May 16, 2020
Enabling Older Ciphers to Support Safari 5.x Server	6	2929	April 26, 2017
In Mac OS X 10.4.11／Safari 4.1.3, not protected Help	9	2742	November 2, 2017
Issue with the safari browser Help	9	2221	December 28, 2018
LETSENCRYPT CERT not working for SAFARI WITH HTTP/2 Server	7	8972	March 1, 2017

Let's Encrypt incompatibility with safari old version

Related topics