Bug #2553
Updated by Jim Pingle over 11 years ago
After the recent lighttpd upgrade to 1.4.31, iOS clients have issues connecting with Safari (Chrome on iOS is OK) Error on the iOS client is: <pre> Cannot Open Page Safari cannot open the page because it could not establish a secure connection to the server. [OK] </pre> The error seems to be an issue with mobile Safari and self-signed certificates, or certificates in general. In lighttpd's changelog (http://redmine.lighttpd.net/versions/28) [[http://redmine.lighttpd.net/versions/28 changelog]] they list this: * ssl: disable client initiated renegotiations * ssl: support mitigating BEAST attack There is a knob for ssl.disable-client-renegotiation to enable/disable but toggling that in lighttpd didn't help the client connect at all. The BEAST attack mitigation involved changing the cipher order. If I use the "old" or "new" value for ssl.ciphers it does connect: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2814/diff/branches/lighttpd-1.4.x/doc/config/lighttpd.conf Works (theirs): <pre> ssl.ciphers = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM" </pre> Does not work (ours): <pre> ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH" </pre> Because we bumped lighty to fix those CVEs on both 2.0.x and 2.1 this affects both branches.