Welcome to Centmin Mod Community
Register Now

SSL Safari can’t establish a secure connection to the server

Discussion in 'Domains, DNS, Email & SSL Certificates' started by adamus007p, Feb 22, 2023.

Tags:
  1. adamus007p

    adamus007p Member

    366
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    4:42 PM
  2. eva2000

    eva2000 Administrator Staff Member

    51,209
    11,898
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,372
    Local Time:
    1:42 AM
    Nginx 1.25.x
    MariaDB 10.x
  3. adamus007p

    adamus007p Member

    366
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    4:42 PM
    My results:

    upload_2023-2-22_15-3-32.png

    and in attachment in PDF I attach the 1st results.



    I see George that there is the same problem with your blog.

    upload_2023-2-22_15-0-31.png
     

    Attached Files:

  4. eva2000

    eva2000 Administrator Staff Member

    51,209
    11,898
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,372
    Local Time:
    1:42 AM
    Nginx 1.25.x
    MariaDB 10.x
    Click on one of those listed IPs for actual results

    But for my blog interesting. What version of Safari? Device used?
     
  5. adamus007p

    adamus007p Member

    366
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    4:42 PM
    I have click on it and I send a PDF file.

    I use old Safari 5.1.7 (7534.57.2)


    I was also testing it with

    Safari 15.6 - the same situaction, do not works

    Safari 16 - it works OK
     

    Attached Files:

    Last edited: Feb 23, 2023
  6. eva2000

    eva2000 Administrator Staff Member

    51,209
    11,898
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,372
    Local Time:
    1:42 AM
    Nginx 1.25.x
    MariaDB 10.x
    Is this on same device or different devices? Cloudflare forums might have clues

    Do you have Cloudflare minimum TLS version set to 1.2? That might be why but I have that set on centminmod.com, community.centminmod.com and blog.centminmod.com, so you should have same problems on all 3 domains. Only difference is on blog.centminmod.com and centminmod.com I use Cloudflare SSL certificates provided by Google Trust SSL CA and with community.centminmod.com I am still using older Digicert SSL CA certificate

    However from SSLLab tests there's link to expand Not simulated clients due to protocol mismatch and Safari 5 and 6 are listed due to SSL ciphers on those devices not supporting the ones Cloudflare edge servers are advertising as supported. Meaning your device is too old for Cloudflare's default strong SSL cipher supported methods.

    upload_2023-2-23_19-8-46.png

    You can try paying an extra $10/month for Cloudflare Advanced Certificate Management Advanced certificates · Cloudflare SSL/TLS docs and then using ACM product features Manage advanced certificates · Cloudflare SSL/TLS docs modify the default Cloudflare supported SSL ciphers Manage advanced certificates · Cloudflare SSL/TLS docs and Customize cipher suites — Edge certificates · Cloudflare SSL/TLS docs. Though that will only help temporarily if not at all depending on how old the device is. Eventually, older devices just need to be retired or upgraded.

    Safari 5/6 probably looking for TLS 1.0/1.1 which have been deprecated and unsupported on a lot of web browsers/operating systems and services now. So I'd update your device.

    Here's Cloudflare's default SSL ciphers Supported cipher suites — Edge certificates · Cloudflare SSL/TLS docs. On my centminmod domain sites I use ACM to disable weak SSL ciphers so older devices aren't supported as you can see in below SSLLabs protocol and SSL ciphers supported at Cloudflare edge

    upload_2023-2-23_19-16-39.png
     
  7. adamus007p

    adamus007p Member

    366
    18
    18
    Feb 8, 2019
    Ratings:
    +35
    Local Time:
    4:42 PM
    Yes, 1.2

    centminmod.com not works
    blog.centminmod.com not works
    community.centminmod.com - Access denied You do not have access to community.centminmod.com. Ray ID xxxx


    I have change SSL in Cloudfront from 1.2 to 1.0 and website is working.
    Safari 5/6 probably looking for TLS 1.0 - yes.


    The question is it safe to use TLS 1.0 ?


    I have run tests again.
    upload_2023-2-23_17-1-25.png
     
    Last edited: Feb 24, 2023
  8. duderuud

    duderuud Active Member

    187
    69
    28
    Dec 5, 2020
    The Netherlands
    Ratings:
    +143
    Local Time:
    4:42 PM
    1.25 x
    10.6
    No, that is not safe. Best practice is to use 1.2 or higher.