New lighttpd breaks connections from Safari on iOS
After the recent lighttpd upgrade to 1.4.31, iOS clients have issues connecting with Safari (Chrome on iOS is OK)
Error on the iOS client is:
Cannot Open Page Safari cannot open the page because it could not establish a secure connection to the server. [OK]
The error seems to be an issue with mobile Safari and self-signed certificates, or certificates in general.In lighttpd's changelog (http://redmine.lighttpd.net/versions/28) they list this:
- ssl: disable client initiated renegotiations
- ssl: support mitigating BEAST attack
There is a knob for ssl.disable-client-renegotiation to enable/disable but toggling that in lighttpd didn't help the client connect at all.
The BEAST attack mitigation involved changing the cipher order. If I use the "old" or "new" value for ssl.ciphers it does connect:
ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
Does not work (ours):
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"
Because we bumped lighty to fix those CVEs on both 2.0.x and 2.1 this affects both branches.