Resolved Some users report problem with SSL

[VojkanC]

We have EV SSL from Sectigo RSA Extended Validation Secure Server CA, but some users still get SSL warnings.

I personally checked the site on Win 7 and Win 10 with Chrome, Firefox, Opera, IE 10 and MS Edge and I never saw the warning.

One of the users (out of 10 in the last 3 months) that reported the problem also sent the screenshot:
Screenshot-2019-04-23T00:14:05.490Z.png

where Safari complains about the expired certificate and about 10 days before that we changed the host and SSL issuer from the free Let's encrypt certificate to EV SSL from Sectigo RSA Extended Validation Secure Server CA.

I found this thread How can an SSL certificate work for some clients only? that helped me understand how this could happen, but this isn't exactly the same case.

Here is the SSL test site: SSL Server Test: pcmc.co.nz (Powered by Qualys SSL Labs)
I am not expert on SSL, but I would say that it doesn't have errors, only some warnings.

Can you please take a look at results and tell if I need to fix something here and how?

 

[Bitpalast]

This is a Safari issue. See this thread here: Certificate problems with Safari - Apple Community

 

[VojkanC]

Thank you for your reply. I've already advised that, but I still get this at least once a week from different site visitors.
Some users that complained stated that they have used Chrome, but unfortunately they didn't provide any more information.

Can you please check SSL Server Test: pcmc.co.nz (Powered by Qualys SSL Labs) and tell me if I am missing something?
Is there anything wrong with SSL or certificate configuration on my server?

There must be something that could be done to enable all users to use the site without SSL issues.

 

[VojkanC]

Do you know how to disable weak cipher suits:

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK128

 

[Ales]

As for these weak ciphers, unless there is something wrong with your server's TLS/SSL settings, they would only get selected if your server and the visitor wouldn't be able to negotiate one of the stronger ones.

This thread should point you in the right direction if you wish to adjust your TLS/SSL ciphers. Note that I would suggest changing these settings by manually editing the relevant configuration files and carefully choosing what to turn off or on, both in terms of ciphers and also in terms of other TLS/SSL options.

As to why would some of your clients see an older certificate while your site already had a newer one installed for a while, I can't really help. An unintentional MITM caused by something unknown, that's my first hunch.

I would just suggest to not to think that all the visitors are reporting the same problem, several issues might be lurking here and the minimum you need to troubleshoot is the visitor's OS version, browser version and the exact error.

One of the things I've noticed is that your server only supports TLS 1.2. This in itself is fine, but prevents some of the older browsers from connecting. Note in your SSL report, there is a "Not simulated clients (Protocol mismatch)" section which you can expand to see further client information. Basically, those clients listed there won't be able to connect to your server using TLS/SSL.

At this point in time, many hosts are indeed cutting off the TLS 1.0 support, but it's still not a completely clear cut decision. It really depends on your visitors.