LETSENCRYPT CERT not working for SAFARI WITH HTTP/2


#1

Hi,

We have a server running APACHE 2.4 and a SSL vhost with SSL and a LE cert created using the certbot. Everything is working fine until we ENABLE h2 on the server. Then, Chrome and Firefox continue to work but Safari and IPHONE (using both Safari and Chrome) started to see a SERVER UNEXPECTLY DROPPED THE CONNECTION error.

We have the same configuration on another virtual with a Comodo certificate so we think is something related to the LE config.

We remove a lot of ciphers from the default config and we put this but still not working:
SSLProtocol TLSv1 TLSv1.1 TLSv1.2
SSLCipherSuite EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

Any ideas where to look? Thank you!


#2

It’s not just that HTTP/2 requires removing some blacklisted ciphers, it also requires to have AES-GSM on the list. I had some similar experience, maybe that will help - https://do-know.com/guides/blog-Enabling-HTTP-v2-on-your-server.html


#3

Thank you, I tried putting the ciphers listed on the document but make no difference. Safari desktop and Safari+Chrome on IPHONE cannot connect. Everything else is working.

Strange thing is if I disable H2 support on the server, SAFARI can connect perfectly. Is the combination with H2 that causes the issue.

Most strange is that after a deeper analysis, the only thing not working are IMAGES. The HTML works good on all browser and download on http2, but for some reason, all the images don’t on Safari. If I remove h2, everything gets back to normal.

Any more ideas? :slight_smile:


#4

hi hmarsili

have you tried troubleshooting at the web development layer (using the browsers dev tools?)
this will tell you if the problem is with the image paths or something else it will also tell you if the resources were found

A) use SSLLabs https://www.ssllabs.com/ to get an idea of what browsers and devices your current setup supports
B) it’s highly unlikely that HTTPS vs HTTP is causing your issue. these are transport mechanisms and do not change the paths etc
C) doing a baseline (HTTP vs HTTPS) and comparing the paths to the images might show you what the problem is
D) if you are seeing different URLs then investigate URL rewriting at the web-server level


#5

The problem is 100% related to HTTP2 module configuration on APACHE 2. We disable the module, everything works on HTTPS. We enable it, and mainly images (but sometime other resources) are not downloaded. The connection is dropped.

SSL LABS show A grading for the site. The paths NEVER change. The problem is not between HTTP and HTTPS, but between HTTPS with http 1.1 and HTTPS with http2 protocol.

We tried updating Apache to the latest version but nothing. We found an UPCOMING version still on experimental mentioning fixes to HTTP2. Maybe that will help.

The most strange thing for us is why this only affects MAC devices (Safari and iPHONE).


#6

hi hmarslii

sslabs also lets you know what devices may have issues (at the end of the report)

have a look at this post http://stackoverflow.com/questions/37210117/http-2-site-will-not-load-on-safari-9-only-loads-okay-on-chrome-ie-edge-fir

there is a good idea in one of the replies:

Yes, but HTTP/2 is more strict with the ciphers. Check an HTTP/2 enabled website that works in Safari (e.g. shimmercat.com) using SSL Qualys to get the list of ciphers right. You can also check the black list, but it is rather long and doesn’t tell you what to do


#7

It sounds more like a bug in Safari’s implementation of HTTP/2, the cipher requirements are pretty lax in the spec (And both Chrome/Firefox implement them, so you’d see more issues), so as long as you negotiate AES-GCM or ChaCha20 it should be fine.

I don’t know if Safari has network logging tools like Chrome or Firefox do, but it’d be useful to see exactly what error Safari is hitting (And whether it’s on the server side or client side)


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.