You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Gene Van Buren
Gene Van Buren Author
User level: Level 2
210 points

SSL connection error with Safari (only) for one site

I've found that Safari has suddenly stopped being able to connect

to a single website (server) via https (SSL). The site works fine

in Firefox and Chrome (where I can view the certificate issued,

from GlobalSign), and even via curl from the command line. The

same server has some pages accessible via http (no SSL), and

that works fine in Safari.


Safari's error console reports:


[Error] Failed to load resource: An SSL error has occurred and a secure connection to the server cannot be made.


And the system log reports:


com.apple.WebKit.Networking[1610]: CFNetwork SSLHandshake failed (-9800)

com.apple.WebKit.Networking[1610]: CFNetwork SSLHandshake failed (-9802)

com.apple.WebKit.Networking[1610]: CFNetwork SSLHandshake failed (-9824)

com.apple.WebKit.Networking[1610]: NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)


I've tried the following (that I can remember):

- check date & time are OK

- reset Safari (including clear all web data)

- delete caches

- remove ~/Library/Preferences/com.apple.security.plist

and ~/Library/Preferences/com.apple.security.revocation.plist

- repair keychains in Keychain Access

- look for certificates that are expired or don't use the system defaults (none found)

- reboot

- reinstall OS X (10.9.5) and re-update to the latest Safari (7.1.2)


No dice.


Any other ideas?


Thanks,

-Gene

MacBook Pro, OS X Mavericks (10.9.5)

Posted on Jan 5, 2015 3:16 PM

Reply
Question marked as Top-ranking reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,643 points

Posted on Jan 5, 2015 3:43 PM

Some websites require a special client certficate for access. If you don't have that certficate, you'll have to contact the site operator to find out how to get one.

Sometimes the problem is caused by a web server that is configured to request an optional client certificate. Safari treats the request as mandatory. In that case, other browsers such as Firefox and Chrome may be able to connect to the site, because they ignore the request.

The first time you were prompted for a certificate, you may have clicked through a dialog that requested access to the Apple certificate in your keychain that is used to secure the iMessage service. In that case, you may be able to regain access to the site in Safari by doing as follows.

Back up all data.

Double-click anywhere in the line below on this page to select it:

com.apple.idms.appleid.prd

Copy the selected text to the Clipboard by pressing the key combination command-C.

Launch the Keychain Access application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

Paste into the search field in the Keychain Access window by clicking in it and pressing the key combination command-V. An item may appear in the list of keychain items. The Name will begin with string you searched for, and the Kind will be "certificate."

Delete the item by selecting it and pressing the delete key. It will be recreated automatically the next time you launch the Messages or FaceTime application.

The next time you visit a site that prompts for an optional client certificate, cancel out of the prompt. You may have to do this several times before the server stops asking.

Credit for this idea to Christian Braukmueller of SAP.

View in context
24 replies
Question marked as Top-ranking reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,643 points

Jan 5, 2015 3:43 PM in response to Gene Van Buren

Some websites require a special client certficate for access. If you don't have that certficate, you'll have to contact the site operator to find out how to get one.

Sometimes the problem is caused by a web server that is configured to request an optional client certificate. Safari treats the request as mandatory. In that case, other browsers such as Firefox and Chrome may be able to connect to the site, because they ignore the request.

The first time you were prompted for a certificate, you may have clicked through a dialog that requested access to the Apple certificate in your keychain that is used to secure the iMessage service. In that case, you may be able to regain access to the site in Safari by doing as follows.

Back up all data.

Double-click anywhere in the line below on this page to select it:

com.apple.idms.appleid.prd

Copy the selected text to the Clipboard by pressing the key combination command-C.

Launch the Keychain Access application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

Paste into the search field in the Keychain Access window by clicking in it and pressing the key combination command-V. An item may appear in the list of keychain items. The Name will begin with string you searched for, and the Kind will be "certificate."

Delete the item by selecting it and pressing the delete key. It will be recreated automatically the next time you launch the Messages or FaceTime application.

The next time you visit a site that prompts for an optional client certificate, cancel out of the prompt. You may have to do this several times before the server stops asking.

Credit for this idea to Christian Braukmueller of SAP.

Reply
User profile for user: Gene Van Buren
Gene Van Buren Author
User level: Level 2
210 points

Jan 6, 2015 8:08 AM in response to Linc Davis

Thank you for your reply, Linc.


I was able to delete a certificate as you described. Upon re-launching Messages, and even successfully sending an iMessage via it, the certificate did not reappear (it seems that certificate is unnecessary to send/receive iMessages). The problem with accessing the site via Safari remains (no effect from deleting the certificate).


Thanks for any further ideas/help,

-Gene

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,643 points

Jan 6, 2015 10:17 AM in response to Gene Van Buren

There are two certificates named "GlobalSign Root CA," one in the "System" keychain, and one in the "System Roots" keychain. The first one isn't part of a default installation. Unless you know of a good reason for it to be there, I suggest you back up all data and then delete that certificate. You'll be prompted for your administrator password. Do not change anything in the System Roots keychain.

Reply
User profile for user: Gene Van Buren
Gene Van Buren Author
User level: Level 2
210 points

Jan 6, 2015 12:36 PM in response to Linc Davis

Thanks for another suggestion, Linc. I am actually mobile, moving from home to work (and on different routers at work), for example, and having the issue in all locations.


I am told that the server in question did change certificates a few days ago, so I really think the issue is certificate related. But as no one else is complaining of this issue, it appears specific to the certificate and my computer.


-Gene

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,643 points

Jan 6, 2015 2:22 PM in response to Gene Van Buren

Start up in Recovery mode. In the OS X Utilities screen, select Get Help Online. A clean copy of Safari will launch. No plugins, such as Flash, will be available. While in Recovery, you'll have no access to your saved bookmarks or passwords, so make a note of those before you begin, if they're needed for the test.

Test. After testing, restart as usual and post the results.

Reply

SSL connection error with Safari (only) for one site

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up