Want more timely Centmin Mod News Updates?
Become a Member

Nginx [nginx-announce] nginx-1.9.12

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Feb 25, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    45,972
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    6:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  2. eva2000

    eva2000 Administrator Staff Member

    45,972
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    6:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    official centminmod.com geo dns cluster of 16+ servers has also been updated and as i use lua nginx module have to enable that too

    in my /etc/centminmod/custom_config.inc
    Code:
    NGINX_LIBBROTLI=y
    NGXDYNAMIC_NGXPAGESPEED=y
    NGINX_PAGESPEED=y
    NGXPGSPEED_VER='1.10.33.5-beta'
    NGINX_PAGESPEEDPSOL_VER='1.10.33.5'
    ORESTY_LUANGINX='y'
    ORESTY_LUANGINXVER='0.10.1rc1'
    Nginx 1.9.12 upgrade times via centmin.sh menu option 4 varied due to type and speed of VPS hardware used and ranged from

    fastest
    Code:
    Total Nginx Upgrade Time: 185.179514248 seconds
    to slowest was my buyvm.net 512MB KVM VPS heh
    Code:
    Total Nginx Upgrade Time: 534.352153516 seconds
    End result

    for CentOS 7.2 based VPSes
    for CentOS 6.7 based VPSes
     
  3. Revenge

    Revenge Active Member

    459
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +350
    Local Time:
    8:57 PM
    1.9.x
    10.1.x
    In Centos 7.2 vos's, any reason you are using GCC instead of Clang?
     
  4. eva2000

    eva2000 Administrator Staff Member

    45,972
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    6:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    well the relatively short answer is
    • ngx_pagespeed 1.9 branch is not compatible with nginx 1.9.11 dynamic mod changes
    • ngx_pagespeed 1.10 branch is compatible with nginx 1.9.11
    • ngx_pagespeed 1.10 doesn't work with Clang properly see 1.10.33.1-beta clang compile errors ยท Issue #1079 and nginx 1.9.9 not shutting down properly when on 1.10.33.2-beta
    • but ngx_pagespeed 1.10 and ngx_brotli module require and only work properly with GCC >4.8 version (see Nginx PageSpeed - Nginx Pagespeed 1.10.x betas coming. So for only Nginx compiles on Centmin Mod LEMP stack's centmin.sh menu, CentOS 7.2 uses native GCC 4.8.5 and CentOS 6.7 uses devtoolset-3 provided GCC 4.9.1 as CentOS 6.x GCC 4.4.7 version is too low.
    • when ngx_pagespeed 1.10 version is detected by centmin mod, it automatically switches Nginx compiles from Clang to GCC itself. If ngx_pagespeed is disabled, centmin mod detects ngx_pagespeed isn't used so auto switches Nginx compiles back from GCC to Clang
     
    Last edited: Feb 25, 2016
  5. Revenge

    Revenge Active Member

    459
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +350
    Local Time:
    8:57 PM
    1.9.x
    10.1.x
    @eva2000 last question ;)
    You are using openssl__chacha20_poly1305_cf.patch and not openssl__chacha20_poly1305_draft_and_rfc_ossl102f.patch, any reason for that?
     
  6. eva2000

    eva2000 Administrator Staff Member

    45,972
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    6:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    previous had openssl__chacha20_poly1305_draft_and_rfc_ossl102f.patch but it didn't patch successfully on openssl 1.0.2f so switched back for now
     
  7. Revenge

    Revenge Active Member

    459
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +350
    Local Time:
    8:57 PM
    1.9.x
    10.1.x
    Strange. I have downloaded 1.0.2f from the official site and applied that patch. It worked without errors.
    SSLabs shows chacha20 without the old_, so it worked. Also chacha now only shows in mobile, which is good.
     
  8. eva2000

    eva2000 Administrator Staff Member

    45,972
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    6:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    weird indeed.. could be my /usr/bin/nv bug not openssl will try updating 123.09beta01 with the newer patch again :)
     
  9. eva2000

    eva2000 Administrator Staff Member

    45,972
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    6:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    maybe it's just me, but on this forum updated to 1.9.12 it seems slightly so faster maybe due to HTTP/2 header compression ?
    Code:
    *) Feature: Huffman encoding of response headers in HTTP/2.
    Thanks to Vlad Krasnov.
     
  10. rdan

    rdan Well-Known Member

    5,018
    1,219
    113
    May 25, 2014
    Ratings:
    +1,847
    Local Time:
    4:57 AM
    Mainline
    10.2
    Done, Thanks Eva!
     
  11. eva2000

    eva2000 Administrator Staff Member

    45,972
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    6:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x

    More updates to Centmin Mod Code



    Re-run centmin.sh menu option 4 for nginx 1.9.12 for this forum on Centmin Mod 123.09beta01 with the newer cloudflare chacha20 patch as outlined by @Revenge to be working Nginx - [nginx-announce] nginx-1.9.12 | Page 2 | Centmin Mod Community and a few fixes up in 123.08stable and 123.09beta01 Beta Branch - update inc/nginx_upgrade.inc | Centmin Mod Community :)

    Basically due to OpenSSL 1.0.2 much longer compile time, i setup Centmin Mod to only recompile OpenSSL itself when the version number in centmin.sh differed from one currently compiled in Nginx server itself. But if you're switching to a patched OpenSSL 1.0.2f you never get to use the patch as the version number in centmin.sh and Nginx are the same. So switched off the skipping so OpenSSL 1.0.2f is compiled everytime so Nginx can pick up the Cloudflare chacha20 patches to OpenSSL :)

    looks good on the forums now SSL Server Test: community.centminmod.com (Powered by Qualys SSL Labs) using newer chacha20

    upload_2016-2-25_9-58-0.png

    but not being picked up by Chrome for Android 5 ?

    upload_2016-2-25_9-58-39.png

    Ah newer cloudflare patch has a new ssl cipher option need to add to nginx vhost!
    Code:
    EECDH+CHACHA20:EECDH+CHACHA20-draft:
    so more updates to come

    upload_2016-2-25_10-5-10.png

    might need to reverse the order of those new ssl ciphers

    strange even if i reverse the order Android 5 picks up older chacha20 ciphers
    Code:
    ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5:!RC4:!3DES;
    Updated 123.09beta01 nginx ssl vhost templates Beta Branch - update nginx vhost template routine for chacha20 draft ciphers | Centmin Mod Community
     
    Last edited: Feb 25, 2016
  12. Revenge

    Revenge Active Member

    459
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +350
    Local Time:
    8:57 PM
    1.9.x
    10.1.x
    @eva2000 im using chacha in the top with this order:
    Code:
      ssl_ciphers        "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
    SSLabs also says that Android 5.0 uses AES128, but i enter the site with my smartphone using Android 5.1, and it uses chacha20. So this seems an issue with SSLabs. That, or there is a diference between 5.0 and 5.1.
     
  13. eva2000

    eva2000 Administrator Staff Member

    45,972
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    6:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Ah must be Android 5.1+ only for newer chacha20 draft version ? Chrome on Android 5.1.x doesn't show draft or old tag just chacha20_poly1305. Checked on my Samsung Galaxy S2 with Cyanogen Mod 5.1.x and shows chacha20_poly1305 but no indication of it being draft or old version

    upload_2016-2-25_10-35-56.png
     
  14. Revenge

    Revenge Active Member

    459
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +350
    Local Time:
    8:57 PM
    1.9.x
    10.1.x
    Ok, SSLabs now says that Android 5.0 is using chacha20.
    The change i made: ssl_ciphers "EECDH+CHACHA20-draft:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
     
  15. eva2000

    eva2000 Administrator Staff Member

    45,972
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    6:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    but OLD_ or new draft ?
     
  16. eva2000

    eva2000 Administrator Staff Member

    45,972
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    6:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  17. Sunka

    Sunka Well-Known Member

    1,145
    315
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +512
    Local Time:
    9:57 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    uhhh, regarding this post...
    I have:
    Code:
    # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
    So only one (1) instance of:
    Code:
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
    So to remove that and paste EECDH+CHACHA20-draft:EECDH+CHACHA20:

    So it will look like this:
    Code:
    # mozilla recommended
      ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
     
  18. eva2000

    eva2000 Administrator Staff Member

    45,972
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    6:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    @Sunka yup correct with nginx restart should be good :D
     
  19. Sunka

    Sunka Well-Known Member

    1,145
    315
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +512
    Local Time:
    9:57 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Done and restart, my forum is still alive (y)

     

    Attached Files:

  20. eva2000

    eva2000 Administrator Staff Member

    45,972
    10,444
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,206
    Local Time:
    6:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Looks good.

    Updated my centminmod.com sites to latest 123.09beta01 fixed patches too and ssllab shows Android using old chacha20

    cipherscan doesn't show much
    Code:
    cipherscan centminmod.com:443
    ......................
    Target: centminmod.com:443
    
    prio  ciphersuite                  protocols              pubkey_size  signature_algoritm       trusted  ticket_hint  ocsp_staple  pfs                 curves      curves_ordering
    1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         ECDH,P-256,256bits  prime256v1  server
    2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         ECDH,P-256,256bits  prime256v1  server
    3     ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         ECDH,P-256,256bits  prime256v1  server
    4     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         True         ECDH,P-256,256bits  prime256v1  server
    5     AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         None                None        server
    6     AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         None                None        server
    7     AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         True         None                None        server
    8     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         False        ECDH,P-256,256bits  prime256v1  server
    9     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         ECDH,P-256,256bits  prime256v1  server
    10    ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         True         ECDH,P-256,256bits  prime256v1  server
    11    AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         None                None        server
    12    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         None                None        server
    13    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         True         None                None        server
    
    OCSP stapling: supported
    Cipher ordering: server
    Curves ordering: server - fallback: no
    Server supports secure renegotiation
    Server supported compression methods: NONE
    TLS Tolerance: yes
    testssl tests
    Code:
    testssl centminmod.com:443
    Code:
     Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLS 1      offered
    TLS 1.1    offered
    TLS 1.2    offered (OK)
    SPDY/NPN   h2, http/1.1 (advertised)
    HTTP2/ALPN h2, http/1.1 (offered)
    
    Testing ~standard cipher lists
    
    Null Ciphers                 not offered (OK)
    Anonymous NULL Ciphers       not offered (OK)
    Anonymous DH Ciphers         not offered (OK)
    40 Bit encryption            not offered (OK)
    56 Bit encryption            not offered (OK)
    Export Ciphers (general)     not offered (OK)
    Low (<=64 Bit)               not offered (OK)
    DES Ciphers                  not offered (OK)
    Medium grade encryption      not offered (OK)
    Triple DES Ciphers           not offered (OK)
    High grade encryption        offered (OK)
    Code:
    Testing server preferences
    
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305, 256 bit ECDH
    Cipher order
         TLSv1:     ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA
         TLSv1.1:   ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA
         TLSv1.2:   ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA
         h2:        ECDHE-RSA-CHACHA20-POLY1305 AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA
         http/1.1:  ECDHE-RSA-CHACHA20-POLY1305 AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA 
    testssl picks up old xcc13 chacha20 too instead of newer xcca8 chacha20 ciphers
    Code:
     Testing all 183 locally available ciphers against the server, ordered by encryption strength
    
    Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
    -------------------------------------------------------------------------
    xcc13   ECDHE-RSA-CHACHA20-POLY1305    ECDH 256   ChaCha20   256        
    xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH 256   AESGCM     256        
    xc028   ECDHE-RSA-AES256-SHA384        ECDH 256   AES        256        
    xc014   ECDHE-RSA-AES256-SHA           ECDH 256   AES        256        
    x9d     AES256-GCM-SHA384              RSA        AESGCM     256        
    x3d     AES256-SHA256                  RSA        AES        256        
    x35     AES256-SHA                     RSA        AES        256        
    xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH 256   AESGCM     128        
    xc027   ECDHE-RSA-AES128-SHA256        ECDH 256   AES        128        
    xc013   ECDHE-RSA-AES128-SHA           ECDH 256   AES        128        
    x9c     AES128-GCM-SHA256              RSA        AESGCM     128        
    x3c     AES128-SHA256                  RSA        AES        128        
    x2f     AES128-SHA                     RSA        AES        128  
    Code:
     Running browser simulations (experimental)
    
    Android 2.3.7                 TLSv1 AES128-SHA
    Android 4.0.4                 TLSv1 ECDHE-RSA-AES128-SHA
    Android 4.1.1                 TLSv1 ECDHE-RSA-AES128-SHA
    Android 4.2.2                 TLSv1 ECDHE-RSA-AES128-SHA
    Android 4.3                   TLSv1.0 ECDHE-RSA-AES128-SHA
    Android 4.4.2                 TLSv1.1 ECDHE-RSA-AES128-SHA
    Android 5.0.0                 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305
    Baidu Jan 2015                TLSv1 ECDHE-RSA-AES128-SHA
    BingPreview Jan 2015          TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    Chrome 47 / OSX               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    Firefox 31.3.0ESR / Win7      TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    Firefox 42 / OSX              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    GoogleBot Feb 2015            TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    IE6 / XP                      No connection
    IE7 / Vista                   TLSv1.0 ECDHE-RSA-AES128-SHA
    IE8 / XP                      No connection
    IE8-10 / Win7                 TLSv1.0 ECDHE-RSA-AES128-SHA
    IE11 / Win7                   TLSv1.2 ECDHE-RSA-AES128-SHA256
    IE11 / Win8.1                 TLSv1.2 ECDHE-RSA-AES128-SHA256
    IE10 / Win Phone 8.0          TLSv1.0 ECDHE-RSA-AES128-SHA
    IE11 / Win Phone 8.1          TLSv1.2 ECDHE-RSA-AES128-SHA256
    IE11 / Win Phone 8.1 Update   TLSv1.2 ECDHE-RSA-AES128-SHA256
    IE11 / Win10                  TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    Edge 13 / Win10               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    Edge 12 / Win Phone 10        TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    Java 6u45                     TLSv1 AES128-SHA
    Java 7u25                     TLSv1 ECDHE-RSA-AES128-SHA
    Java 8u31                     TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    OpenSSL 0.9.8y                TLSv1 AES128-SHA
    OpenSSL 1.0.1l                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    OpenSSL 1.0.2                 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    Safari 5.1.9/ OSX 10.6.8      TLSv1 ECDHE-RSA-AES128-SHA
    Safari 6 / iOS 6.0.1          TLSv1.2 ECDHE-RSA-AES128-SHA256
    Safari 6.0.4/ OS X 10.8.4     TLSv1 ECDHE-RSA-AES128-SHA
    Safari 7 / iOS 7.1            TLSv1.2 ECDHE-RSA-AES128-SHA256
    Safari 7 / OS X 10.9          TLSv1.2 ECDHE-RSA-AES128-SHA256
    Safari 8 / iOS 8.4            TLSv1.2 ECDHE-RSA-AES128-SHA256
    Safari 8 / OS X 10.10         TLSv1.2 ECDHE-RSA-AES128-SHA256
    Safari 9 / iOS 9              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
    Safari 9 / OS X 10.11         TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256