IE11: Server sent fatal alert: handshake_failure

explain what you are trying to do
We use Caddy for about 25 domains on a single server. These are simple HTML landing pages served via another simple go application that compiles markdown with html templates. Caddy makes it easy to get SSL up and running.

We compile Caddy from source and include the following plugins

Our latest build was created based on master from commit f6e6a6be0446a8455001d6202032b20b64b37569

Here is what our configuration looks like

https://{{}}  {
	log / /var/log/caddy/access.log "{remote} - [{when}] {method} {path} {proto} {host} {status} {size}"
    errors /var/log/caddy/errors.log
	tls {
 	   max_certs 100

	header /  Strict-Transport-Security "max-age=31536000;"

	proxy / {{h.ip}}:{{h.port}} {

show what you have already tried

I tried restarting Caddy and I searched the error logs for any clues but I do not see any errors. I also created another build of caddy to make sure it wasn’t a bad build.

include error messages and log output

If I visit one of our sites via IE11 on Windows 8 I get the following error (Google Translated from German).

This page can not be displayed.

Enable TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced Settings, and try connecting to {removed} again. If the error persists, this Web site may use an unsupported log or unsupported cipher suite, such as RC4 (link to details), which is considered unsafe. Contact the site administrator.

I removed the domain as I don’t want to affect search results for this page. One site is plexus dash kvn dot de if you would like to test this.

I used SSL Server Test (Powered by Qualys SSL Labs) to test this further and I see the error Server sent fatal alert: handshake_failure on IE11 with older versions of Windows and on older versions of Safari.

Please let me know if you have any ideas on what the problem could be. Thanks!

Hi @markustenghamn,

This is the result of a recent change to the cipher suites Caddy uses by default. The changes were made at the same time as the implementation of TLS1.3 and were aimed at deprecating outdated, less secure ciphers.

There’s more discussion on the TLS1.3 implementation here:

And more specifically, ongoing discussion about the IE11 compatibility problem here:

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.