SSL SNI Setup & Errors

#1
Hi All,

I am having some issues setting up SSL on my new test server, looking for some help from the community if possible.

setup:
  • 443 listener with one of the SSL's cert's attached to that listener
  • 2 virtual hosts
    • domain1.com.au with the same SSL attached as the listener
    • domain2.co.nz with another SSL attached different to the above
    • SPDY2 / 3 / HTTP2 activated
    • TLS 1 / 1.1 / 1.2
    • ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH as the Ciphers
    • Both have the same document root but different directories for the setup and separate XML files (obviously)
errors:
  • In Chrome i get the following errors
  • For domain1.com.au ERR_SPDY_INADEQUATE_TRANSPORT SECURITY
  • For domain2.co.nz i get a mis-match in the certificate
  • In safari i don't get the first error
Any hints? i have had this working before, but can't seem to replicate.
 

lsmichael

Active Member
#2
Talked around. This is probably two separate errors (we think).
  • For domain1.com.au ERR_SPDY_INADEQUATE_TRANSPORT SECURITY
This error probably means that your cipher suite is too weak for Chrome's requirements. (Safari may have more relaxed requirements.) Try turning off SPDY and HTTP/2 and see if it still happens.
  • For domain2.co.nz i get a mis-match in the certificate
This error, on the other hand, is almost certainly a misconfiguration of the SNI setup. Make sure the vhost is properly mapped in the listener. The mapping should be to "domain2.co.nz".

m
 

gen

New Member
#3
Hello.
I have the same problem:
When "Enable SPDY/HTTP2" is "None" ssl works fine, but when i check any of "SPDY/2", "SPDY/3", or "HTTP/2" i have error "net::ERR_SPDY_INADEQUATE_TRANSPORT SECURITY"
 

gen

New Member
#5
Thanks for reply, eva2000
I resolve my problem by adding this cipher suite:

EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+ aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!SEED:!3D ES:!CAMELLIA:!MD5:!EXP:!PSK:!S RP:!DSS:!RC4
 
#7
My last problem is i get a certificate error only in iOS safari - cannot verify server identity - even tho the certificate name and domain match. I look at the details of the cert and all looks ok, baffled why that would be...
 
Top