TravCorpTech

Q: Safari, Proxy Authentication, and Certificate Authorities ( for https )

A recent update to Safari has caused it to not work with our proxy authentication.  It will not provide authentication details when looking up SSL certificate authorities, causing certificate errors on all https:// websites. All other traffic (http, https if certificate is bypassed, plugins, etc.) seem to work just fine. Is anyone else having this problem?  If so, is there a fix?

 

It occurs on Mac and PC.  I am using SquidGuard with NTLM authentication.  All other browsers on our system (IE x.x, FireFox, Chrome, Opera ) don't have this issue.

Posted on Jun 15, 2012 6:46 AM

Close

Q: Safari, Proxy Authentication, and Certificate Authorities ( for https )

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Jun 15, 2012 7:01 AM in response to TravCorpTech
    Level 10 (208,000 points)
    Applications
    Jun 15, 2012 7:01 AM in response to TravCorpTech
  • by TravCorpTech,

    TravCorpTech TravCorpTech Jun 15, 2012 7:55 AM in response to Linc Davis
    Level 1 (0 points)
    Jun 15, 2012 7:55 AM in response to Linc Davis

    Linc,

     

    I have the inverted issue.  The link you provided is a problem of someone's one website not functioning properly with Safari.  My issue is all 'https' websites within my network (w/ proxy authentication) using Safari. 

     

    If I take one of these systems give them direct access to the network, it works fine, but obviously cannot access our intranet.

     

    To confirm my findings, I have created an exception for one certificate authority to not require authentication on the proxy and it works fine.Unfortunately, I don't want to have to fish for every possible CA domain just to provide a workaround to what is clearly a fault with the application.

     

    If I look at our proxy logs, or use Wireshark, I can clearly see Safari not providing any credentials.

  • by Linc Davis,

    Linc Davis Linc Davis Jun 15, 2012 8:30 AM in response to TravCorpTech
    Level 10 (208,000 points)
    Applications
    Jun 15, 2012 8:30 AM in response to TravCorpTech

    I don't know of a fix for the problem in Safari. I doubt that there is one. You'll have to fix it in your proxy, or your clients will have to stop using Safari.

  • by pckizer,

    pckizer pckizer Jun 19, 2012 10:51 AM in response to TravCorpTech
    Level 1 (0 points)
    Jun 19, 2012 10:51 AM in response to TravCorpTech

    If it's possible for you to use a direct connection for the OCSP checks (rather than needing them to go through the proxy as well), you could add the following to your Proxy Bypass list in System Preferences -> Networking -> Proxies:

     

    evsecure-ocsp.geotrust.com,

    evssl-ocsp.geotrust.com,

    ocsp.apple.com,

    ocsp.apple.com,

    ocsp.cacert.org,

    ocsp.comodoca.com,

    ocsp.digicert.com,

    ocsp.entrust.net,

    ocsp.godaddy.com,

    ocsp.startssl.com,

    ocsp.thawte.com, 

    evsecure-ocsp.thawte.com,

    ocsp.usertrust.com,

    ocsp.verisign.com,

    evintl-ocsp.verisign.com,

    evsecure-ocsp.verisign.com

     

    Those are just the ones I've found so far.  There are definitely others, I just haven't hit sites that use certs from the other providers just yet.

     

    Good luck.

  • by BasementJack,

    BasementJack BasementJack Jun 20, 2012 6:57 AM in response to TravCorpTech
    Level 1 (32 points)
    Jun 20, 2012 6:57 AM in response to TravCorpTech

    I have the same problem and it's frustrating as can be.

     

    What happens to me is that When I bring my laptop to work, and put it on the work network and launch Safari, Safari informs me that each of my plugins is invalid and then uninstalls them - I'm effectively not able to use any plug ins at work, and I have to go hunt them down when I get back home (for reference, The extensions are still physically in \users\me\Library\Safari\Extensions - so when I get home I can just double click on all of them)

     

    I opened a case with apple and I encourage you to do the same. Perhaps if enough users complain they will find a gentler way to work with it.

     

    They had me do a capture and after analyzing it said it was an issue with the work network and not being able to valdate the extensions.

     

    It sounds like the same issue you have - as my work network uses a proxy as well.

     

    The rep suggested that I use a different browser at work, but I'm so used to clicking safari, that I do it out of habit.

     

    I really like Safari, and hope they get it fixed - Safari may not get respect in the windows world, but it's really a great browser - especially on a laptop where screen real estate is limited (where I often hit command-shift-\ to hide the address bar to see more of the page)

     

    -Jack

  • by lukeS_was_already_taken,

    lukeS_was_already_taken lukeS_was_already_taken May 17, 2013 3:15 AM in response to BasementJack
    Level 1 (0 points)
    May 17, 2013 3:15 AM in response to BasementJack

    I just switched to Chrome, this solves my issue perfectly.