[Resolved] LS 5.0 stable protocol error with ssl sites

Status
Not open for further replies.

wanah

Well-Known Member
#1
Hello,

Just switched to LS 5.0 but SSL sites stopped working giving a protocol error in Safari 8.05 and redirecting to http version in Firefox.

The error shown in the browser was :
Code:
NSPOSIXErrorDomain:100
I've switched back to 4.2 while waiting for this to be fixed.
 
Last edited by a moderator:

wanah

Well-Known Member
#2
Do we have to set specific ciphers for http/2 to work ? Could it be because I'm using a SPDY compatible browser that HTTPS isn't working with litespeed 5.0 ?
 

mistwang

LiteSpeed Staff
#3
Please tell us more details about the browsers, we will try to reproduce it ourselves.
chrome is strict with ciphers when Http/2 is used, the error message tells you that. but if a browser does not support HTTP/2, only support SPDY, SPDY will be used.
 

wanah

Well-Known Member
#4
Safari is Version 8.0.5 (10600.5.17), Firefox is 37.0.1

Both on mac os Yosemite.

I haven't tested on other browsers as both Firefox and Safari both seemed to find a protocol error I presumed this would affect all browsers.
 

wanah

Well-Known Member
#5
I've got a bit more info.

Just tried 5.0 with latest version of Chrome.

I get :
Code:
ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY
Does this mean I'm missing a cipher or something like that ?
 
Last edited by a moderator:

wanah

Well-Known Member
#6
I've just tried changing ciphers for the same ones I use on a nginx server with spdy enabled but I get the same error so I don't think it's a cipher issue.
 

wanah

Well-Known Member
#7
Any news about this ?

While I guess your developpers are working hard to reproduce and fix this issue, it would be nice to have some confirmation that it is being worked apon. Something like "thanks for the info, we have forwarded the info to our developpers…" would have been nice.

And sorry about being impatient :) Can't wait to give your litemage cache a try and annouce that we now have http/2 support.
 

wanah

Well-Known Member
#9
SSLv3 now shows as correctly disabled with nmap but the pages still don't show.
ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY in chrome and NSPOSIXErrorDomain:100 in Safari.
 

mistwang

LiteSpeed Staff
#10
To use HTTP/2, you need to make sure cipher
ECDHE-RSA-AES128-GCM-SHA256

is the first one in your cipher configuration.

our default is
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SSLv2:!EXP:!PSK:!SRP:!DSSTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
it works for HTTP2.
 
Last edited:

wanah

Well-Known Member
#12
Hello,

I was testing on a website with piwik, this doesn't seem to happen on other websites.

I found this :
Code:
http://forum.piwik.org/read.php?2,121502
But it doesn't give any information about why just confirms that it also happens with nginx + SPDY
 
Last edited by a moderator:

theRKF

Well-Known Member
#13
Upgraded to 5.0, also getting the ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY error in Chrome (we are using the recommended cipher settings as posted earlier).

Rolling back to 4.2.23 for now, until I can figure out the issue.
 
#14
Hi,

I had the same issue with SPDY, updated the cipher to the following.
Code:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Now no more issue with SPDY.
Source: https://wiki.mozilla.org/Security/Server_Side_TLS
 
#15
We have just rolled back after experiencing similar problems - SSL sites not working in Safari 8, mobile Safari, or Firefox. We updated to LS 5 a few days ago, updated to a patch a couple of days ago, then updated to the build 2 this morning. We did not notice any issues of this sort until this morning so for us at least the problem seemed to have started with the most recent update.
 
Status
Not open for further replies.
Top