Resolved HTTPS websites not loading in IE

[occinodo]

Hello,

When trying to load an HTTPS website in IE on windows 7 and other platforms I get an error
For example https://techsavy.nl/ (on the same server as the website facing this issue)
You can also see that when you visit:
https://www.ssllabs.com/ssltest/analyze.html?d=techsavy.nl&s=37.97.158.214
this comes up:
IE 7 / Vista Server sent fatal alert: handshake_failure
IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert: handshake_failure
IE 8-10 / Win 7 R Server sent fatal alert: handshake_failure
IE 11 / Win 7 R Server sent fatal alert: handshake_failure
IE 11 / Win 8.1 R Server sent fatal alert: handshake_failure
IE 10 / Win Phone 8.0 Server sent fatal alert: handshake_failure
IE 11 / Win Phone 8.1 R Server sent fatal alert: handshake_failure
IE 11 / Win Phone 8.1 Update R Server sent fatal alert: handshake_failure

How can I fix this? It's driving me nuts

 

[daanse]

Hi,

maybe this List helps? https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394

 

[occinodo]

Hi Daka,

Other servers with a Let's encrypt function perfectly, I think it's something with openSSL, but I don't know what.

 

[Lloyd_mcse]

You don't have TLS 1 or TLS 1.1 enabled, and you need a better cipher suite. TLS1 and 1.1 get disabled when you enable http2.

Have a look at /etc/nginx/conf.d/ssl.conf, something like...

ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers  on;
ssl_ciphers  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;

Should be ok. I added HIGH in there and removed the ones you really don't want.
Anyway that should get you where you want.
Kind regards

Lloyd

 

[occinodo]

Thanks a lot!! That solved the issue.
For future reference, this is what I had in the file:

ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers  on;
ssl_ciphers  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:HIGH:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;

 

[chad182]

Hi, I have a similar problem:


IE 11 / Win Phone 8.1 R Server sent fatal alert: handshake_failure

Safari 6 / iOS 6.0.1	Server sent fatal alert: handshake_failure
Safari 7 / iOS 7.1 R	Server sent fatal alert: handshake_failure
Safari 7 / OS X 10.9 R	Server sent fatal alert: handshake_failure
Safari 8 / iOS 8.4 R	Server sent fatal alert: handshake_failure
Safari 8 / OS X 10.10 R	Server sent fatal alert: handshake_failure

SSL/TLS Protocols TLSv1.2 +TLSv1.3

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

Where about's would I add in the HIGH? thank you in advance.

 

[echoabhishek]

For TLSv1.2 and TLSv1.3,
We are using this configuration in Nginx. This works fine for majorly all browsers.

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256;

The last cipher helps it work on old Safari, but is a weak cipher algo.

OpenSSL Version - 1.0.2k-fips
Nginx Version - 1.20.1