Wenn ich auf dem neuen IPhone mit IOS 10.1 einen Exchange Account anlegen möchte zeigt er mir das die Serveridentität nicht verifziert werden konnte.
Das SSL Zertifikat habe ich vorher per Mailanhang geschickt und installiert und freigegen/bestätigt. ( wird auch unter Allgemein anzeigt )
Mein anderes IPhone mit IOS 10.0.2 funktioniert tadellos !
Gruss Rainer !
Aus dem DAVID Forum:
[code]das Problem liegt an alten Verschlüsselungstypen, und lässt sich durch das Anlegen einer Konfigurationsdatei lösen:
davidtls.ini in c:\windows\syswow64 mit folgendem Inhalt erstellen:
[Settings]
CipherSuite=HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS
SSLv3=no
TLS10=no
TLS11=yes
TLS12=yes
ServerCipherOrder=no
Anschließend die Webbox und den Servicelayer neu starten, danach klappt es auch mit dem Iphone und iOS10.[/code]
Meine Config: /apache2/mods…/ssl.conf:
[code]
Listen 443
Pseudo Random Number Generator (PRNG):
Configure one or more sources to seed the PRNG of the SSL library.
The seed data should be of good random quality.
WARNING! On some platforms /dev/random blocks if not enough entropy
is available. This means you then cannot use the /dev/random device
because it would lead to very long connection times (as long as
it requires to make more entropy available). But usually those
platforms additionally provide a /dev/urandom device which doesn’t
block. So, if available, use this one instead. Read the mod_ssl User
Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
SSL Global Context
All SSL configuration in this context applies both to
the main server and all SSL-enabled virtual hosts.
Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
Pass Phrase Dialog:
Configure the pass phrase gathering process.
The filtering dialog program (`builtin’ is a internal
terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
Inter-Process Session Cache:
Configure the SSL Session Cache: First the mechanism
to use and second the expiring timeout (in seconds).
#SSLSessionCache dbm:/var/run/apache2/ssl_scache
SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 300
Semaphore:
Configure the path to the mutual exclusion semaphore the
SSL engine uses internally for inter-process synchronization.
SSLMutex file:/var/run/apache2/ssl_mutex
By default Apache supports TLS 1.0, 1.1 and 1.2
If you want to enable the insecure legacy protocol SSL3, use apache2/ssl/v3=true
To only allow TLS 1.1 and TLS 1.2, use apache/ssl/tlsv11=true
To only allow TLS 1.2, use apache/ssl/tlsv12=true
@!@
protocol = ‘SSLProtocol all -SSLv2 -SSLv3’
if configRegistry.is_true(‘apache2/ssl/v3’, default=False):
protocol = ‘SSLProtocol all -SSLv2 +SSLv3’
if configRegistry.is_true(‘apache2/ssl/tlsv11’, default=False):
protocol = ‘SSLProtocol -all +TLSv1.1 +TLSv1.2’
if configRegistry.is_true(‘apache2/ssl/tlsv12’, default=False):
protocol = ‘SSLProtocol -all +TLSv1.2’
print protocol
@!@
Enable compression on the SSL level. Warning: Enabling compression causes security issues in most setups (the so called CRIME attack).
@!@
if configRegistry.is_true(‘apache2/ssl/compression’, default=False):
print ‘SSLCompression on’
else:
print ‘SSLCompression off’
@!@
Server and client perform a handshake where they negotiate the ciphers to be used. By default the
ciphers proposed by the client are used. If this option is enabled, the ciphers chosen by the
server are used instead.
@!@
if configRegistry.is_true(‘apache2/ssl/honorcipherorder’, default=False):
print ‘SSLHonorCipherOrder on’
else:
print ‘SSLHonorCipherOrder off’
@!@
List the ciphers offered by Apache during the SSL handshake. The available options
@!@
print ‘SSLCipherSuite %s’ % configRegistry.get(‘apache2/ssl/ciphersuite’, ‘HIGH:MEDIUM:!aNULL:!MD5:!RC4’)
@!@
@!@
if configRegistry.is_true(“apache2/force_https”):
print ‘RewriteEngine on’
print ‘RewriteCond %{HTTPS} off’
print ‘RewriteCond %{REQUEST_URI} !=/server-status’
print ‘RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]’
print
@!@
[/code]