Project

General

Profile

Bug #2553

Updated by Jim Pingle over 9 years ago

After the recent lighttpd upgrade to 1.4.31, iOS clients have issues connecting with Safari (Chrome on iOS is OK) 

 Error on the iOS client is: 
 <pre> 
 Cannot Open Page 
 Safari cannot open the page because it could not establish a secure connection to the server. [OK] 
 </pre> 

 The error seems to be an issue with mobile Safari and self-signed certificates, or certificates in general. 

 In lighttpd's changelog (http://redmine.lighttpd.net/versions/28) [[http://redmine.lighttpd.net/versions/28 changelog]] they list this: 
 * ssl: disable client initiated renegotiations 
 * ssl: support mitigating BEAST attack 

 There is a knob for ssl.disable-client-renegotiation to enable/disable but toggling that in lighttpd didn't help the client connect at all. 

 The BEAST attack mitigation involved changing the cipher order. If I use the "old" or "new" value for ssl.ciphers it does connect: 
 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2814/diff/branches/lighttpd-1.4.x/doc/config/lighttpd.conf 
 Works (theirs): 
 <pre> 
 ssl.ciphers                   = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" 
 </pre> 

 Does not work (ours): 
 <pre> 
 ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH" 
 </pre> 

 Because we bumped lighty to fix those CVEs on both 2.0.x and 2.1 this affects both branches.

Back