Bug #2553
closed
New lighttpd breaks connections from Safari on iOS
100%
Description
After the recent lighttpd upgrade to 1.4.31, iOS clients have issues connecting with Safari (Chrome on iOS is OK)
Error on the iOS client is:
Cannot Open Page Safari cannot open the page because it could not establish a secure connection to the server. [OK]
The error seems to be an issue with mobile Safari and self-signed certificates, or certificates in general.
In lighttpd's changelog (http://redmine.lighttpd.net/versions/28) they list this:- ssl: disable client initiated renegotiations
- ssl: support mitigating BEAST attack
There is a knob for ssl.disable-client-renegotiation to enable/disable but toggling that in lighttpd didn't help the client connect at all.
The BEAST attack mitigation involved changing the cipher order. If I use the "old" or "new" value for ssl.ciphers it does connect:
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2814/diff/branches/lighttpd-1.4.x/doc/config/lighttpd.conf
Works (theirs):
ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
Does not work (ours):
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"
Because we bumped lighty to fix those CVEs on both 2.0.x and 2.1 this affects both branches.
Updated by 
Updated by