SSL SNI Setup & Errors

Discussion in 'Linux Support: RHEL, CentOS, SUSE etc' started by Rudi, Mar 2, 2015.

  1. Rudi

    Rudi New Member

    Hi All,

    I am having some issues setting up SSL on my new test server, looking for some help from the community if possible.

    setup:
    • 443 listener with one of the SSL's cert's attached to that listener
    • 2 virtual hosts
      • domain1.com.au with the same SSL attached as the listener
      • domain2.co.nz with another SSL attached different to the above
      • SPDY2 / 3 / HTTP2 activated
      • TLS 1 / 1.1 / 1.2
      • ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH as the Ciphers
      • Both have the same document root but different directories for the setup and separate XML files (obviously)
    errors:
    • In Chrome i get the following errors
    • For domain1.com.au ERR_SPDY_INADEQUATE_TRANSPORT SECURITY
    • For domain2.co.nz i get a mis-match in the certificate
    • In safari i don't get the first error
    Any hints? i have had this working before, but can't seem to replicate.
     
  2. lsmichael

    lsmichael Active Member

    Talked around. This is probably two separate errors (we think).
    • For domain1.com.au ERR_SPDY_INADEQUATE_TRANSPORT SECURITY
    This error probably means that your cipher suite is too weak for Chrome's requirements. (Safari may have more relaxed requirements.) Try turning off SPDY and HTTP/2 and see if it still happens.
    • For domain2.co.nz i get a mis-match in the certificate
    This error, on the other hand, is almost certainly a misconfiguration of the SNI setup. Make sure the vhost is properly mapped in the listener. The mapping should be to "domain2.co.nz".

    m
     
  3. gen

    gen New Member

    Hello.
    I have the same problem:
    When "Enable SPDY/HTTP2" is "None" ssl works fine, but when i check any of "SPDY/2", "SPDY/3", or "HTTP/2" i have error "net::ERR_SPDY_INADEQUATE_TRANSPORT SECURITY"
     
  4. eva2000

    eva2000 Member

    see https://code.google.com/p/chromium/issues/detail?id=436835

     
  5. gen

    gen New Member

    Thanks for reply, eva2000
    I resolve my problem by adding this cipher suite:

    EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+ aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!SEED:!3D ES:!CAMELLIA:!MD5:!EXP:!PSK:!S RP:!DSS:!RC4
     
    eva2000 likes this.
  6. Rudi

    Rudi New Member

    thanks both, my problem solved as well now !
     
  7. Rudi

    Rudi New Member

    My last problem is i get a certificate error only in iOS safari - cannot verify server identity - even tho the certificate name and domain match. I look at the details of the cert and all looks ok, baffled why that would be...
     
  8. Rudi

    Rudi New Member

    Does anyone know how to install an intermediate certificate ?
     

Share This Page