Page with ssl doesn't open from safari
patjomkin
nginx-forum at nginx.us
Tue Jun 16 11:03:56 UTC 2015
Запустил тест https://www.ssllabs.com/ssltest/.
В итоге настораживает только "This site works only in browsers with SNI
support." но новые версии safari поддерживают sni, т.е. проблема быстрее
всего не в этом. Поправьте пожалуйста, если я заблуждаюсь
Полный лог (может для кого-нибудь он будет более информативным, чем для
меня):
Visit our documentation page for more information, configuration guides, and
books. Known issues are documented here.
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade
capped to B. MORE INFO »
This site works only in browsers with SNI support.
Authentication
Server Key and Certificate #1
Common names www.mysite1.com
Alternative names www.mysite1.com mysite1.com sendy.mysite2.com
www.mysite3.com www.mysite4.com www.mysite5.com
Prefix handling Not required for subdomains
Valid from Mon, 11 May 2015 11:35:39 UTC
Valid until Thu, 11 May 2017 07:22:38 UTC (expires in 1 year and 10
months)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer Go Daddy Secure Certificate Authority - G2
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency No
Revocation information CRL, OCSP
Revocation status Good (not revoked)
Trusted Yes
Additional Certificates (if supplied)
Certificates provided 4 (4849 bytes)
Chain issues Contains anchor
#2
Subject Go Daddy Secure Certificate Authority - G2
Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8
Valid until Sat, 03 May 2031 07:00:00 UTC (expires in 15 years and 10
months)
Key RSA 2048 bits (e 65537)
Issuer Go Daddy Root Certificate Authority - G2
Signature algorithm SHA256withRSA
#3
Subject Go Daddy Root Certificate Authority - G2
Fingerprint: 340b2880f446fcc04e59ed33f52b3d08d6242964
Valid until Fri, 30 May 2031 07:00:00 UTC (expires in 15 years and 11
months)
Key RSA 2048 bits (e 65537)
Issuer The Go Daddy Group / Go Daddy Class 2 Certification Authority
Signature algorithm SHA256withRSA
#4
Subject The Go Daddy Group / Go Daddy Class 2 Certification Authority In
trust store
Fingerprint: 2796bae63f1801e277261ba0d77770028f20eee4
Valid until Thu, 29 Jun 2034 17:06:20 UTC (expires in 19 years)
Key RSA 2048 bits (e 3)
Issuer The Go Daddy Group / Go Daddy Class 2 Certification Authority
Self-signed
Signature algorithm SHA1withRSA Weak, but no impact on root certificate
Certification Paths
Path #1: Trusted
1 Sent by server www.mysite1.com
Fingerprint: b724f66443d14479640ea332fa3d92221625c2ca
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8
RSA 2048 bits (e 65537) / SHA256withRSA
3 In trust store Go Daddy Root Certificate Authority - G2 Self-signed
Fingerprint: 47beabc922eae80e78783462a79f45c254fde68b
RSA 2048 bits (e 65537) / SHA256withRSA
Path #2: Trusted
1 Sent by server www.mysite1.com
Fingerprint: b724f66443d14479640ea332fa3d92221625c2ca
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server Go Daddy Secure Certificate Authority - G2
Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8
RSA 2048 bits (e 65537) / SHA256withRSA
3 Sent by server Go Daddy Root Certificate Authority - G2
Fingerprint: 340b2880f446fcc04e59ed33f52b3d08d6242964
RSA 2048 bits (e 65537) / SHA256withRSA
4 Sent by server
In trust store The Go Daddy Group / Go Daddy Class 2 Certification
Authority Self-signed
Fingerprint: 2796bae63f1801e277261ba0d77770028f20eee4
RSA 2048 bits (e 3) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
Configuration
Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2
suites always at the end)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072
bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072
bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits
RSA) FS 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits (p: 128, g: 1, Ys:
128) FS WEAK 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits (p: 128, g: 1, Ys:
128) FS WEAK 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1, Ys:
128) FS WEAK 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 1024 bits (p: 128, g: 1,
Ys: 128) FS WEAK 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits
RSA) FS 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits (p: 128, g: 1, Ys:
128) FS WEAK 112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072
bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072
bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits
RSA) FS 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits (p: 128, g: 1, Ys:
128) FS WEAK 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits (p: 128, g: 1, Ys:
128) FS WEAK 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys:
128) FS WEAK 128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 1024 bits (p: 128, g: 1,
Ys: 128) FS WEAK 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
Handshake Simulation
Android 2.3.7 No SNI 2 Incorrect certificate because this client doesn't
support SNI Fail2
Android 4.0.4 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS
256
Android 4.1.1 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS
256
Android 4.2.2 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS
256
Android 4.3 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS 256
Android 4.4.2 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) FS
256
Android 5.0.0 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS
256
Baidu Jan 2015 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS
256
BingPreview Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(0xc030) FS 256
Chrome 42 / OS X R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
FS 256
Firefox 31.3.0 ESR / Win 7 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(0xc014) FS 256
Firefox 37 / OS X R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
FS 256
Googlebot Feb 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
FS 256
IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch Fail3
IE 7 / Vista TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) FS
256
IE 8 / XP No FS 1 No SNI 2 Incorrect certificate because this client
doesn't support SNI Fail2
IE 8-10 / Win 7 R TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
FS 256
IE 11 / Win 7 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
FS 256
IE 11 / Win 8.1 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
FS 256
IE Mobile 10 / Win Phone 8.0 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(0xc014) FS 256
IE Mobile 11 / Win Phone 8.1 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xc028) FS 256
Java 6u45 No SNI 2 Incorrect certificate because this client doesn't
support SNI Fail2
Java 7u25 TLS 1.0 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) FS 112
Java 8u31 TLS 1.2 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) FS 112
OpenSSL 0.9.8y TLS 1.0 TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) FS 256
OpenSSL 1.0.1l R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
FS 256
OpenSSL 1.0.2 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
FS 256
Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(0xc014) FS 256
Safari 6 / iOS 6.0.1 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xc028) FS 256
Safari 6.0.4 / OS X 10.8.4 R TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(0xc014) FS 256
Safari 7 / iOS 7.1 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xc028) FS 256
Safari 7 / OS X 10.9 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xc028) FS 256
Safari 8 / iOS 8.1.2 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xc028) FS 256
Safari 8 / OS X 10.10 R TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xc028) FS 256
Yahoo Slurp Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(0xc030) FS 256
YandexBot Jan 2015 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
FS 256
(1) Clients that do not support Forward Secrecy (FS) are excluded when
determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site
if the server uses SNI.
(3) Only first connection attempt simulated. Browsers tend to retry with a
lower protocol version.
(R) Denotes a reference browser or client, with which we expect better
effective security.
(All) We use defaults, but some platforms do not use their best protocols
and features (e.g., Java 6 & 7, older IE).
Protocol Details
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initiated Renegotiation No
BEAST attack Not mitigated server-side (more info) TLS 1.0: 0xc014
POODLE (SSLv3) No, SSL 3 not supported (more info)
POODLE (TLS) No (more info)
Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported (more
info)
TLS compression No
RC4 No
Heartbeat (extension) Yes
Heartbleed (vulnerability) No (more info)
OpenSSL CCS vuln. (CVE-2014-0224) No (more info)
Forward Secrecy Yes (with most browsers) ROBUST (more info)
Next Protocol Negotiation (NPN) Yes http/1.1
Session resumption (caching) No (IDs assigned but not accepted)
Session resumption (tickets) Yes
OCSP stapling No
Strict Transport Security (HSTS) No
Public Key Pinning (HPKP) No
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance No
Incorrect SNI alerts -
Uses common DH prime Yes Replace with custom DH parameters if possible
(more info)
SSL 2 handshake compatibility Yes
Miscellaneous
Test date Tue, 16 Jun 2015 10:54:02 UTC
Test duration 98.530 seconds
HTTP status code 200
HTTP server signature nginx/1.8.0
Posted at Nginx Forum: http://forum.nginx.org/read.php?21,259638,259646#msg-259646
Подробная информация о списке рассылки nginx-ru