[TriLUG] iPad SSL site oddity

Tim Jowers via TriLUG trilug at trilug.org
Tue May 9 10:42:10 EDT 2017 

iOS 10 enforced newer SSL protocols, IIRC. Its a big pain in the butt but
Apple bows to no man, not even their customers. I forget the exact name but
there are some websites you can point at your website to see
vulnerabilities, and those listed will be things you have to upgrade.

Cheers,
Tim


On Tue, May 9, 2017 at 10:17 AM, Matt Flyer via TriLUG <trilug at trilug.org>
wrote:

> Over the last couple of weeks, I have been in the process of moving my
> home based server that I use for mail and other functions to a hosted
> system with the ultimate goal of giving the very expen$$$ive TWC-BC the
> cold boot.  In the process, I created the SSL site using Let's Encrypt
> that I use for Roundcube (webmail) and all seemed to work just fine
> with most browsers as in I would get the green lock and it would say
> that it was a secured and verified  connection.  Qualys SSL analysis
> would give the site an A rating, at least once I had all three of the
> SSLCertificateFile, SSLCertificateKeyFile, and the
> SSLCertificateChainFile
>
> What I ran into is that my newer iPad would REFUSE to connect to the
> roundcube site on my domain complaining that "safari could not
> establish a secure connection to the server".  What's even more odd is
> that my older iPad would.  Where it gets even more odd is that I have a
> subdomain for the Subsonic music player configured as subsonic.mydomain
>  (I use a reverse proxy to bridge the SSL port on 443 and the non
> privileged user port behind the firewall) and that WOULD connect but
> the parent domain would not. Of course Fruit goes M$ to the extreme in
> that it doesn't even say contact the administrator for help - you get
> just nothing as far as any sort of clue as to the problem.
>
> I was trying absolutely everything I could think of, including undoing
> the changes to ensure only strong ciphers were being used, resetting
> all the network parameters in the ipad, etc.  Finally I stumbled onto
> the problem and this is where I am a bit puzzled.  The short answer is
> that in the Apache host configuration I had
> <VirtualHost domain_ip_adddress:443> and what it wanted was
> <VirtualHost DomainName:443>, in essence I believe using TLS SNI (?)
> which is what I had in the subsonic domain as it shares the same IP
> address.
>
> From my recollection of the old days, SSL was established by IP
> address, not name, and the SNI is a newer variant that became popular
> as people started hosting more than one secured domain on a site.
>  However, what I don't get is why Safari would REFUSE to connect to the
> site when it was defined by IP address.
>
> I am curious if anyone can shed some light on this?
>
> --
> This message was sent to: timjowers <timjowers at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/
> options/trilug/timjowers%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome

More information about the TriLUG mailing list