Project

General

Profile

Actions

Bug #2553

closed

New lighttpd breaks connections from Safari on iOS

Added by Jim Pingle almost 10 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Web Interface
Target version:
Start date:
07/18/2012
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0.x
Affected Architecture:

Description

After the recent lighttpd upgrade to 1.4.31, iOS clients have issues connecting with Safari (Chrome on iOS is OK)

Error on the iOS client is:

Cannot Open Page
Safari cannot open the page because it could not establish a secure connection to the server. [OK]

The error seems to be an issue with mobile Safari and self-signed certificates, or certificates in general.

In lighttpd's changelog (http://redmine.lighttpd.net/versions/28) they list this:
  • ssl: disable client initiated renegotiations
  • ssl: support mitigating BEAST attack

There is a knob for ssl.disable-client-renegotiation to enable/disable but toggling that in lighttpd didn't help the client connect at all.

The BEAST attack mitigation involved changing the cipher order. If I use the "old" or "new" value for ssl.ciphers it does connect:
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2814/diff/branches/lighttpd-1.4.x/doc/config/lighttpd.conf
Works (theirs):

ssl.ciphers                 = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" 

Does not work (ours):

ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH" 

Because we bumped lighty to fix those CVEs on both 2.0.x and 2.1 this affects both branches.

Actions

Also available in: Atom PDF