gerhard
September 7, 2019, 12:13am
7
I don’t think Safari 6 will work even when you solve the TLS issues by adding additional cipher suites.
You can add missing cipher suites by overriding the nginx config file. Add the following snippet (untested, but it should work) to the hooks section of app.yml and change the value of ssl_ciphers to your liking.
after_ssl:
- replace:
filename: "/etc/nginx/conf.d/discourse.conf"
from: /ssl_ciphers .*/
to: ssl_ciphers <your_complete_cipher_list>;
BTW: I’m trying to add support for Elliptic Curve certificates to Discourse which would make it work for IE11 out of the box.
discourse:master ← discourse:elliptic_curve
opened 12:12AM - 07 Sep 19 UTC
[Mozilla](https://wiki.mozilla.org/Security/Server_Side_TLS) recommends ECDSA (P… -256) as certificate type for intermediate compatibility.
> ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11
Most modern browsers will use cipher suites with the ECDSA certificate. Older browsers will select the RSA certificate and a RSA cipher suite.
It will create two Let's Encrypt certificates:
* EC 256 bits (SHA256withRSA)
* RSA 4096 bits (SHA256withRSA)
Without this change all the ECDSA cipher suites defined in https://github.com/discourse/discourse_docker/blob/12f501764f57c827e497eb6fb88e98f8c3c468e6/templates/web.ssl.template.yml#L22 won't work. With the new certificate all cipher suites will work and browsers like IE11 on Windows 7 and Windows 8 will work too.
**Before:**
**After:**
4 Likes