Let's encrypt + Plesk + Firefox 45


i have some problems, if i activate on my server the let’s encrypt , the site will get complete white with a https - connection in firefox.

I’dont know why.

http://support.wegot.vision => working
https:///support.wegot.vision => not working

In chrome/Internet explorer/edge/opera it’s work fine.

It might be because of the following error:

Firefox 47 / Win 7 R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1

(Source: SSL Server Test: support.wegot.vision (Powered by Qualys SSL Labs))

You can find the blacklisted cipher suits for HTTP2 here: https://http2.github.io/http2-spec/#BadCipherSuites

The list of cipher suits provided by my Firefox (45):

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   Forward Secrecy 	128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Forward Secrecy 	128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy 	256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy 	128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy 	128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy 	256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   Forward Secrecy 	128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   Forward Secrecy 	256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 	128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 	256

Cross-reference that with the list of cipher suits your server offers from the page I linked to above. You'll see the first possible cipher suite of your server which is listed in the clients supported cipher suits is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014). And that suite is blacklisted.

Possible options:

  • Fix your servers cipher suites. The list of cipher suites now currently used is like.. Ancient? An usefull method is using the Mozilla SSL Configuration Generator.
  • Disable HTTP2. But that won't change the fact you're using ancient cipher suites and possibly not getting the optimal encryption.
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.