Forward Secrecy & App Transport Security test fails

[codeeeee]

Attempting to deploy a website as a Kitura-based project. Running on DigitalOcean Ubuntu 16.04 with a LetsEncrypt set of certificates. Swift 4.1. OpenSSL 1.0.2g

The default cipher suite (DEFAULT:!DH) fails the Qualys SSL Report very badly, and does not support Apple's App Transport Security standards.

My modified cipher suite, ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP:!kEDH, passes the test generally well except for no Forward Secrecy support, as well as Apple ATS 9 / iOS 9 | Server sent fatal alert: handshake_failure.

This is reflected by attempting to load a webpage inside of a WKWebView on iOS. When these clients attempt to load a webpage, the server gives the following error:

[ERROR] [HTTPServer.swift:217 listen(listenSocket:socketManager:)] Error initializing client connection from 162.155.251.250:31852: Error code: 336109761(0x1408A0C1), ERROR: SSL_accept, code: 336109761, reason: SSL3_GET_CLIENT_HELLO:no shared cipher

16 seems to acknowledge a fix for this, and SSLService.swift line 856 claims to be the solution, but still no luck.

Edit: Workaround for now, FastCGI server with nginx works great.

[billabt]

I’m out of town right now attending my daughter’s college graduation. I’ll take a look when I get back on Tuesday.