Some issue with Apple devices

I am using Let’s encrypt on my websites for more than a year and everything was working great.

But yesterday I’ve got a strange issue. One of my websites (sensehome.ru, sensehome.ru/en) stopped working on any modern Apple devices. I’ve tried the iPhone, iPad, Safari on Mac. But it is perfectly working on any Windows or Android device and is still working on very old iPod touch with iOS 3 and on Chrome on Mac. Other websites with the same certificate work well: https://scobo-ihome.ru and even https://mini.sensehome.ru

Browser says, that connection is refused, but in nginx access.log I can not even see any connection from Apple devices.

I have tried to remove https and all devices started to work well with http.

Today I’ve obtained a new certificate and got the same issue.

Any advice, please?

My domain is: sensehome.ru/en, scobo-ihome.ru

My web server is (include version): nginx 1.1.19

The operating system my web server runs on is (include version):ubuntu 12.04.5

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31

It works on Firefox/macOS too, but I get the same thing on Safari/macOS. I’m seeing a number of issues with your configuration:
https://www.ssllabs.com/ssltest/analyze.html?d=sensehome.ru&hideResults=on
…but I wouldn’t expect they’d cause what you’re seeing.

curl doesn’t work either, on Linux. So it isn’t specific to macOS’ “SecureTransport” implementation.

Your server seems to be sending TCP FIN right after the key exchange, before the client gets a chance to submit its HTTP request, not sure why.

Yes. But on iPhone and iPad it does not work with any browser.

The strange thing is that I see no attempts to connect in nginx access.log neither errors in error.log

For example, when I’m trying to connect from Win to HTTP, I got:
94.228.x.x - - [26/Jun/2019:14:09:39 +0300] “GET / HTTP/1.1” 301 185 “-” “Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36”
94.228.x.x- - [26/Jun/2019:14:09:39 +0300] “GET / HTTP/1.1” 200 3676 “-” “Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36”

When ssllab failed handshaking, I can see:
2019/06/26 14:03:43 [crit] 22936#0: *7158 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early) while SSL handshaking, client: 64.41.200.107, server: sensehome.ru

But when someone is trying to connect from IOS I can see the blank silence.

nginx isn’t going to log a request because your server is causing the TCP socket to be abandoned before the client gets a chance to submit a request.

VqsmwxS.png1919×380

That [FIN,ACK] that comes right before the GET request, plus those three RST packets, show that your server has already closed the connection on its side.

Maybe you can run tshark on your server and try connect from iOS and see what’s happening from its perspective.

It is pretty much the same.

hdtkjtkytdk.PNG1895×464 69.7 KB

But searching on the web I have found the solution, removing the symptoms at least. I just added to nginx webpage conf this string:
ssl_session_cache shared:SSL:10m;

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.