Page with ssl doesn't open from safari

patjomkin nginx-forum at nginx.us
Tue Jun 16 11:03:56 UTC 2015


Запустил тест https://www.ssllabs.com/ssltest/. 
В итоге настораживает только "This site works only in browsers with SNI
support." но новые версии safari  поддерживают sni, т.е. проблема быстрее
всего не в этом. Поправьте пожалуйста, если я заблуждаюсь

Полный лог (может для кого-нибудь он будет более информативным, чем для
меня):

Visit our documentation page for more information, configuration guides, and
books. Known issues are documented here.
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade
capped to B.   MORE INFO »
This site works only in browsers with SNI support.


Authentication
Server Key and Certificate #1
Common names 	www.mysite1.com
Alternative names 	www.mysite1.com mysite1.com sendy.mysite2.com
www.mysite3.com www.mysite4.com www.mysite5.com
Prefix handling 	Not required for subdomains
Valid from 	Mon, 11 May 2015 11:35:39 UTC
Valid until 	Thu, 11 May 2017 07:22:38 UTC (expires in 1 year and 10
months)
Key 	RSA 2048 bits (e 65537)
Weak key (Debian) 	No
Issuer		Go Daddy Secure Certificate Authority - G2	
Signature algorithm 	SHA256withRSA
Extended Validation 	No
Certificate Transparency 	No
Revocation information 	CRL, OCSP
Revocation status 	Good (not revoked)
Trusted 	Yes	


Additional Certificates (if supplied)
Certificates provided 	4 (4849 bytes)
Chain issues 	Contains anchor
#2
Subject 	Go Daddy Secure Certificate Authority - G2
Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8
Valid until 	Sat, 03 May 2031 07:00:00 UTC (expires in 15 years and 10
months)
Key		RSA 2048 bits (e 65537)
Issuer 	Go Daddy Root Certificate Authority - G2	
Signature algorithm 	SHA256withRSA
#3
Subject 	Go Daddy Root Certificate Authority - G2
Fingerprint: 340b2880f446fcc04e59ed33f52b3d08d6242964
Valid until 	Fri, 30 May 2031 07:00:00 UTC (expires in 15 years and 11
months)
Key		RSA 2048 bits (e 65537)
Issuer 	The Go Daddy Group / Go Daddy Class 2 Certification Authority	
Signature algorithm 	SHA256withRSA
#4
Subject		The Go Daddy Group / Go Daddy Class 2 Certification Authority   In
trust store
Fingerprint: 2796bae63f1801e277261ba0d77770028f20eee4
Valid until 	Thu, 29 Jun 2034 17:06:20 UTC (expires in 19 years)
Key		RSA 2048 bits (e 3)
Issuer 	The Go Daddy Group / Go Daddy Class 2 Certification Authority  
Self-signed	
Signature algorithm 	SHA1withRSA   Weak, but no impact on root certificate


Certification Paths
Path #1: Trusted
1 	Sent by server 	www.mysite1.com
Fingerprint: b724f66443d14479640ea332fa3d92221625c2ca
RSA 2048 bits (e 65537) / SHA256withRSA
2 	Sent by server 	Go Daddy Secure Certificate Authority - G2
Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8
RSA 2048 bits (e 65537) / SHA256withRSA
3 	In trust store 	Go Daddy Root Certificate Authority - G2   Self-signed	
Fingerprint: 47beabc922eae80e78783462a79f45c254fde68b
RSA 2048 bits (e 65537) / SHA256withRSA
Path #2: Trusted
1 	Sent by server 	www.mysite1.com
Fingerprint: b724f66443d14479640ea332fa3d92221625c2ca
RSA 2048 bits (e 65537) / SHA256withRSA
2 	Sent by server 	Go Daddy Secure Certificate Authority - G2
Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8
RSA 2048 bits (e 65537) / SHA256withRSA
3 	Sent by server 	Go Daddy Root Certificate Authority - G2
Fingerprint: 340b2880f446fcc04e59ed33f52b3d08d6242964
RSA 2048 bits (e 65537) / SHA256withRSA
4 	Sent by server
In trust store 	The Go Daddy Group / Go Daddy Class 2 Certification
Authority   Self-signed	
Fingerprint: 2796bae63f1801e277261ba0d77770028f20eee4
RSA 2048 bits (e 3) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
Configuration
Protocols
TLS 1.2 	Yes	
TLS 1.1 	Yes
TLS 1.0 	Yes
SSL 3 	No	
SSL 2 	No


Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2
suites always at the end)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH 256 bits (eq. 3072
bits RSA)   FS 	256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072
bits RSA)   FS 	256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits
RSA)   FS 	256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits (p: 128, g: 1, Ys:
128)   FS   WEAK 	256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits (p: 128, g: 1, Ys:
128)   FS   WEAK 	256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys:
128)   FS   WEAK 	256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)   DH 1024 bits (p: 128, g: 1,
Ys: 128)   FS   WEAK 	256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 	256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 	256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 	256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 	256
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH 256 bits (eq. 3072 bits
RSA)   FS 	112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 1024 bits (p: 128, g: 1, Ys:
128)   FS   WEAK 	112
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 	112
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072
bits RSA)   FS 	128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072
bits RSA)   FS 	128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits
RSA)   FS 	128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits (p: 128, g: 1, Ys:
128)   FS   WEAK 	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits (p: 128, g: 1, Ys:
128)   FS   WEAK 	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys:
128)   FS   WEAK 	128
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)   DH 1024 bits (p: 128, g: 1,
Ys: 128)   FS   WEAK 	128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 	128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 	128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 	128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 	128


Handshake Simulation
Android 2.3.7   No SNI 2		Incorrect certificate because this client doesn't
support SNI 	Fail2
Android 4.0.4 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS
	256
Android 4.1.1 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS
	256
Android 4.2.2 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS
	256
Android 4.3 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 	256
Android 4.4.2 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   FS
	256
Android 5.0.0 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS
	256
Baidu Jan 2015 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS
	256
BingPreview Jan 2015 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(0xc030)   FS 	256
Chrome 42 / OS X  R		TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  
FS 	256
Firefox 31.3.0 ESR / Win 7 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(0xc014)   FS 	256
Firefox 37 / OS X  R		TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  
FS 	256
Googlebot Feb 2015 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  
FS 	256
IE 6 / XP   No FS 1	  No SNI 2		Protocol or cipher suite mismatch 	Fail3
IE 7 / Vista 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS
	256
IE 8 / XP   No FS 1	  No SNI 2		Incorrect certificate because this client
doesn't support SNI 	Fail2
IE 8-10 / Win 7  R		TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  
FS 	256
IE 11 / Win 7  R		TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)  
FS 	256
IE 11 / Win 8.1  R		TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) 
 FS 	256
IE Mobile 10 / Win Phone 8.0 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(0xc014)   FS 	256
IE Mobile 11 / Win Phone 8.1 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xc028)   FS 	256
Java 6u45   No SNI 2		Incorrect certificate because this client doesn't
support SNI 	Fail2
Java 7u25 	TLS 1.0 	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   FS 	112
Java 8u31 	TLS 1.2 	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   FS 	112
OpenSSL 0.9.8y 	TLS 1.0 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   FS 	256
OpenSSL 1.0.1l  R		TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)  
FS 	256
OpenSSL 1.0.2  R		TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)  
FS 	256
Safari 5.1.9 / OS X 10.6.8 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(0xc014)   FS 	256
Safari 6 / iOS 6.0.1  R		TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xc028)   FS 	256
Safari 6.0.4 / OS X 10.8.4  R		TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(0xc014)   FS 	256
Safari 7 / iOS 7.1  R		TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xc028)   FS 	256
Safari 7 / OS X 10.9  R		TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xc028)   FS 	256
Safari 8 / iOS 8.1.2  R		TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xc028)   FS 	256
Safari 8 / OS X 10.10  R		TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xc028)   FS 	256
Yahoo Slurp Jan 2015 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(0xc030)   FS 	256
YandexBot Jan 2015 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) 
 FS 	256
(1) Clients that do not support Forward Secrecy (FS) are excluded when
determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site
if the server uses SNI.
(3) Only first connection attempt simulated. Browsers tend to retry with a
lower protocol version.
(R) Denotes a reference browser or client, with which we expect better
effective security.
(All) We use defaults, but some platforms do not use their best protocols
and features (e.g., Java 6 & 7, older IE).


Protocol Details
Secure Renegotiation 	Supported
Secure Client-Initiated Renegotiation 	No	
Insecure Client-Initiated Renegotiation 	No	
BEAST attack 	Not mitigated server-side (more info)   TLS 1.0: 0xc014
POODLE (SSLv3) 	No, SSL 3 not supported (more info)
POODLE (TLS) 	No (more info)
Downgrade attack prevention 	No, TLS_FALLBACK_SCSV not supported (more
info)
TLS compression 	No	
RC4 	No	
Heartbeat (extension) 	Yes
Heartbleed (vulnerability) 	No (more info)
OpenSSL CCS vuln. (CVE-2014-0224) 	No (more info)
Forward Secrecy 	Yes (with most browsers)   ROBUST (more info)	
Next Protocol Negotiation (NPN) 	Yes   http/1.1
Session resumption (caching) 	No (IDs assigned but not accepted)
Session resumption (tickets) 	Yes	
OCSP stapling 	No	
Strict Transport Security (HSTS) 	No
Public Key Pinning (HPKP) 	No
Long handshake intolerance 	No
TLS extension intolerance 	No
TLS version intolerance 	No
Incorrect SNI alerts 	-
Uses common DH prime 	Yes   Replace with custom DH parameters if possible
(more info)
SSL 2 handshake compatibility 	Yes


Miscellaneous
Test date 	Tue, 16 Jun 2015 10:54:02 UTC
Test duration 	98.530 seconds	
HTTP status code 	200
HTTP server signature 	nginx/1.8.0

Posted at Nginx Forum: http://forum.nginx.org/read.php?21,259638,259646#msg-259646



Подробная информация о списке рассылки nginx-ru