I first posted this on LetsEncrypt but they suggested it might be a NextCloud VM/LetsEncrypt setup issue. So I am posting the question here as well.
Im testing a NextCloud 12.02 VM using Ubuntu 16.04.2 LTS. My LetsEncryt worked great and my temp domain works as well. Some of our corporate customers must use IE11/Win7 as company IT policy (not Chrome or Firefox on local machines) and they can not connect to the website. The IE11 display is “This Page can not be Displayed”. I receive no errors. If I use Firefox Chrome, MS Edge or even IE11/Win 10 it works fine. Using the SSL Labs test results in the following two lines for IE11/Win7:
IE 11 / Win 7 R Client does not support DH parameters > 4096 bits
RSA 4096 (SHA256) | TLS 1.2 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | DH 8192
I know that the NextCloud LetsEncrypt sets the HD at 8192. I also can get the IE11/Win7 to connect if unchecking TLS 1.2 under advanced settings. My options appear to be redoing at a DH of 4096 or changing the order presented to IE11/Win7 of connection options to the first that works?
I found this as the main link for the letsencrypt script:
I can alter the DHPARAM to 4096 instead of 8192. That shoud theoretically allow for IE11/Wini7 to connect.
My question is does this file get replaced during a upgrade? If I change the file I could make it read only if needed.
The IE11/Win7 DH > 4096 issue should be solved by this. Any suggestions or thoughts?
create_config() {
local method="$1"
if [ -d “$CERTFILES” ]
then
# Generate DHparams chifer
if [ ! -f “$DHPARAMS” ]
then
openssl dhparam -dsaparam -out “$DHPARAMS” 8192 <-- change to 4096
fi
# Activate new config
check_command bash “$SCRIPTS/test-new-config.sh” "$domain.conf"
exit
fi
}