SSL Issue Only For Some Clients (Linode Server)

Question

Leadup:

Set up a wordpress linode.
Imported a wordpress site.
Everything worked.
Added an ssl certificate from godaddy. It looks like the SSL certificate is installed correctly: https://www.sslshopper.com/ssl-checker.html#hostname=tabularasa-ny.com
Everything still works, with one caveat.

Issue:

On some machines, people receive the following:

Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have. Error code: ERR_SSL_PROTOCOL_ERROR

Pattern:

The only real pattern I can see is that people with Time Warner in their office cannot load the site.

Evidence and Thoughts:

The site works on my laptop and my phone, but when I connected to the wifi in the office with Time Warner, it stopped working. They had an Arris TG### router from Time Warner.
Other people complained that they can't load the site with the same error and I confirmed that they are also using Time Warner.
No idea if this would be related to the router or the ISP.
Have tested this with other friends in various locations without any problems.

This is just a theory and any other ideas and solutions/suggestions would be very helpful.

The site is https://tabularasa-ny.com/

First, [fix these serious problems](https://www.ssllabs.com/ssltest/analyze.html?d=tabularasa-ny.com&hideResults=on). — Michael Hampton, Mar 17 '15 at 15:52

Steffen Ullrich · Accepted Answer · 2015-03-17T19:30:15.503

The host has both an IPv4 and IPv6 address. The web server listens on both IP port 443 so that the TCP connect is successful, but you somehow messed the SSL configuration for IPv6 up, so that the SSL upgrade on the IPv6 address fails. There are enough clients out there which use IPv6 if available and prefer it to IPv4 and these clients will fail.

SSLLabs will not tell you about it, because it does not support IPv6 yet. But analyze.pl will tell you about it:

$ perl analyze-ssl.pl  tabularasa-ny.com
-- tabularasa-ny.com port 443
! failed SSL upgrade on IP 2600:3c03::f03c:91ff:fe84:5fd
...

Apart from that please fix the issues reported by SSLLabs.

The only real pattern I can see is that people with Time Warner in their office cannot load the site.

From searching a bit on the web it looks like that Time Warner has IPv6 enabled for their customers. Since all modern OS can do IPv6 and will use it if available this matches my problem description.

Thanks. That helped a lot. The final solution was here:[link](https://forum.linode.com/viewtopic.php?t=7474%3E) The first line of each VirtualHost should look like this to include ipv6: — zeusstl, Mar 18 '15 at 19:41

score 0 · Answer 2 · answered Mar 17 '15 at 15:50

0

Probably some chippers is not active ( which is good ) Try to notice what systems / browsers has this problem.

BTW: https://www.ssllabs.com/ssltest/analyze.html?d=tabularasa-ny.com

You are Poodle Attack Exploitable...

answered Mar 17 '15 at 15:50

Widmo

321
2
10

SSL Issue Only For Some Clients (Linode Server)

2 Answers2