[solved] Safari fails to talk to LE-powered website, other browsers are fine

It’s a curious thing, and I’m not really sure it’s LE-related (everything’s working when I fallback to startssl certs, so it should be, in some way, right?)

I’m running nginx with acmetool as forward proxy. I spawn all the web configs from exactly the same template:

listen 443 ssl http2;
ssl on;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DES-CBC3-SHA:!DES:!RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_dhparam         /etc/nginx/conf.d/dhparams.pem;

ssl_ct on;

ssl_certificate     /etc/nginx/ssl/rsa/live/{{$rootDomain}}/fullchain;
ssl_certificate_key /etc/nginx/ssl/rsa/live/{{$rootDomain}}/privkey;
ssl_ct_static_scts  /etc/nginx/ssl/rsa/live/{{$rootDomain}}/scts;

ssl_certificate     /etc/nginx/ssl/ecdsa/live/{{$rootDomain}}/fullchain;
ssl_certificate_key /etc/nginx/ssl/ecdsa/live/{{$rootDomain}}/privkey;
ssl_ct_static_scts  /etc/nginx/ssl/ecdsa/live/{{$rootDomain}}/scts;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

The domain wolfyarts.com works everywhere, the domain wolfyart.com fails to load in Safari (on either OSX or iOS).

Any ideas how to debug the Safari ssl issue? wolfyart.com loads fine in chrome and firefox on the same system.

It’s funny that ssllabs.com rates both as A+ with no issues.

Update: it’s not Safari-specific, it’s CFNetwork-specific, e.g. curl fails too:

$ curl -v https://wolfyart.com/
*   Trying 176.9.58.152...
* Connected to wolfyart.com (176.9.58.152) port 443 (#0)
* Unknown SSL protocol error in connection to wolfyart.com:-9800
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to wolfyart.com:-9800

According to ssllabs.com , there is some issues: SSL Server Test: wolfyart.com (Powered by Qualys SSL Labs)
It can't connect using:

Safari 5.1.9 / OS X 10.6.8
Safari 6.0.4 / OS X 10.8.4

and a lot of others...

Those are old versions that can’t do TLS1.1 I believe. I’m fine with losing OSX 10.6.8, but not fine with OSX 10.10

Ok, I figured it, by gradually disabling parts of SSL config :slight_smile:

The problem was with nginx-ct module (I didn’t even know safari cares for CT records!). I had a zero-length ct file for a record log that seems to be dead. Chrome and firefox silently ignored CTs because of it, but safari failed to load the whole site.

1 Like

@farcaller Nice. Maybe you could open an issue there: https://github.com/ssllabs/ssllabs-scan/issues

Filed this to all the interested parties (ssllabs-scan, nginx-ct, apple).

1 Like

You have enabled a total of 22 ciphers, but only three of them are in use by any modern browser. It would definitely reduce the attack vector to reduce the offered ciphers to these three.

If you disable RSA and select a better ECDHE curve, you could raise your score on the Key Exchange bar to 100%.

Also none of the clients use TLS 1.1, so you could also raise the score on the Protocol Support bar to 100% only enabling TLS 1.2.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.