Attempting to deploy a website as a Kitura-based project. Running on DigitalOcean Ubuntu 16.04 with a LetsEncrypt set of certificates. Swift 4.1. OpenSSL 1.0.2g
The default cipher suite (DEFAULT:!DH) fails the Qualys SSL Report very badly, and does not support Apple's App Transport Security standards.
My modified cipher suite, ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP:!kEDH, passes the test generally well except for no Forward Secrecy support, as well as Apple ATS 9 / iOS 9 | Server sent fatal alert: handshake_failure.
This is reflected by attempting to load a webpage inside of a WKWebView on iOS. When these clients attempt to load a webpage, the server gives the following error:
Attempting to deploy a website as a Kitura-based project. Running on DigitalOcean Ubuntu 16.04 with a LetsEncrypt set of certificates. Swift 4.1. OpenSSL 1.0.2g
The default cipher suite (
DEFAULT:!DH
) fails the Qualys SSL Report very badly, and does not support Apple's App Transport Security standards.My modified cipher suite,
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP:!kEDH
, passes the test generally well except for no Forward Secrecy support, as well asApple ATS 9 / iOS 9 | Server sent fatal alert: handshake_failure
.This is reflected by attempting to load a webpage inside of a WKWebView on iOS. When these clients attempt to load a webpage, the server gives the following error:
[ERROR] [HTTPServer.swift:217 listen(listenSocket:socketManager:)] Error initializing client connection from 162.155.251.250:31852: Error code: 336109761(0x1408A0C1), ERROR: SSL_accept, code: 336109761, reason: SSL3_GET_CLIENT_HELLO:no shared cipher
16 seems to acknowledge a fix for this, and SSLService.swift line 856 claims to be the solution, but still no luck.
Edit: Workaround for now, FastCGI server with nginx works great.