Let's Encrypt incompatibility with safari old version

massimo · 2017-03-23 07:39:13 UTC

I Encrypt use of fear on my websites, but unfortunately I have noticed that my HTTPS websites with Encrypt Let are not visible on the Safari browser over 6 version age (thus all versions of Windows and older versions for Mac), for example in 5 version of Safari this website www.immobiliarezzo.it is not visible.
Can I fix this in some way?

If not, please confirm this incompatibility and add this on its web page ( https://letsencrypt.org/docs/certificate-compatibility/ ).

schoen · 2017-03-23 17:49:45 UTC

Hi @massimo,

This problem is often caused by cryptographic settings on the web server (such as protocol versions and ciphersuites), rather than by the certificate itself.

According to
https://www.ssllabs.com/ssltest/analyze.html?d=www.immobiliarezzo.it

your server closed the connection before performing a TLS negotiation when the client tried to act like Safari 5. This could be due to some kind of firewall policy but perhaps is also a symptom of protocol version or ciphersuite mismatch. (I don’t know why the server would disconnect in this case instead of returning a TLS error message, but it’s possible.)

You can use a tool like

https://mozilla.github.io/server-side-tls/ssl-config-generator/

to find cryptographic settings for several web server applications that try to ensure compatibility with older client software.

Osiris · 2017-03-23 18:10:44 UTC

I think it might have something to do with the fact Safari 5 only supports SSLv3 and TLSv1.0 and the current server configuration only supports TLSv1.1 and TLSv1.2.

The reason SSL Labs doesn’t provide an useful error message is because it doesn’t get a reason from the server at all. The server just disconnects without a SSL error:

1 local_ip     remote_ip   TCP 44476→https [SYN] Seq=0 Win=29040 Len=0 MSS=1452 SACK_PERM=1 TSval=6540488 TSecr=0 WS=128 74
2 remote_ip    local_ip    TCP https→44476 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1452 SACK_PERM=1 WS=128 66
3 local_ip     remote_ip   TCP 44476→https [ACK] Seq=1 Ack=1 Win=29056 Len=0                 54
4 local_ip     remote_ip   SSL Client Hello                                                    284
5 remote_ip    local_ip    TCP https→44476 [ACK] Seq=1 Ack=231 Win=30336 Len=0               60
6 remote_ip    local_ip    TCP https→44476 [RST, ACK] Seq=1 Ack=231 Win=30336 Len=0          60

schoen · 2017-03-23 18:27:29 UTC

Thanks for figuring that out, @Osiris!

@massimo, you can probably then get Safari 5 support by enabling the older protocols in your web server configuration. The Mozilla configuration generator may be able to help with this.

system · 2017-04-22 18:27:46 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.