Wednesday, 11 May 2016

Thanks everyone for breaking my site!

So the pains of Windows 10 continue although to be fair, this is a combination of Windows 10, SPDY/HTTP2 and the latest browsers trying to be nice and secure!

The problem is related to the selection of SSL cipher suites and if you have ever looked into it, there are LOADS of combinations but HTTP2 have decided in their wisdom that certain suites MAY be blacklisted by browsers. The list is here

Unfortunately, most browsers seem to do nothing except show a blank screen, Chrome at least gives a clue with ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY but Opera does nothing and Edge says that it can't reach the site.

FFS

I have tried quite religiously to keep my cipher suite a good mix of secure with a little backwards compatibility but this has broken all of my sites.

My choices include disabling SPDY/HTTP2 on Windows 10, which seems a bit backwards, or otherwise going through the 100 or so cipher suites on the list and attempting to check them against the suites that I have configured locally to try and get some that work properly.

This has taken AGES to debug thanks to crappy browsers that couldn't at least do something like Chrome does and show the error and it was even weirder that when running Fiddler, the sites run absolutely fine because Fiddler uses its own SSL handshake using some other kind of HTTP version or SSL version.
Post a Comment