User profile for user: Gene Van Buren
Gene Van Buren Author
User level: Level 2
210 points

SSL connection error with Safari (only) for one site

I've found that Safari has suddenly stopped being able to connect

to a single website (server) via https (SSL). The site works fine

in Firefox and Chrome (where I can view the certificate issued,

from GlobalSign), and even via curl from the command line. The

same server has some pages accessible via http (no SSL), and

that works fine in Safari.


Safari's error console reports:


[Error] Failed to load resource: An SSL error has occurred and a secure connection to the server cannot be made.


And the system log reports:


com.apple.WebKit.Networking[1610]: CFNetwork SSLHandshake failed (-9800)

com.apple.WebKit.Networking[1610]: CFNetwork SSLHandshake failed (-9802)

com.apple.WebKit.Networking[1610]: CFNetwork SSLHandshake failed (-9824)

com.apple.WebKit.Networking[1610]: NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)


I've tried the following (that I can remember):

- check date & time are OK

- reset Safari (including clear all web data)

- delete caches

- remove ~/Library/Preferences/com.apple.security.plist

and ~/Library/Preferences/com.apple.security.revocation.plist

- repair keychains in Keychain Access

- look for certificates that are expired or don't use the system defaults (none found)

- reboot

- reinstall OS X (10.9.5) and re-update to the latest Safari (7.1.2)


No dice.


Any other ideas?


Thanks,

-Gene

MacBook Pro, OS X Mavericks (10.9.5)

Posted on Jan 5, 2015 3:16 PM

Reply
24 replies
User profile for user: Gene Van Buren
Gene Van Buren Author
User level: Level 2
210 points

Jan 13, 2015 1:17 PM in response to Linc Davis

Some follow up items here...


1) I was incorrect in stating that I see the issue regardless of my network location. On one network behind a firewall/proxy, I have the issue. Outside that network (as Linc would be), the problem is not there (e.g. I do not see the problem at home). It is indeed correlated with the network.


2) Other OS X + Safari users on the same network share this problem (it appears universal to Macs, though limited variants tested).


3) I want to emphasize again that the problem is not there for Opera, Chrome, Firefox (Safari specific). Does anyone know what Safari does differently with certificates from other browsers?


A few of us continue to try to understand the issue here, but if anyone out there has more ideas or knows more, please let me know.


Thanks,

-Gene

Reply
User profile for user: ChipmunkNL
ChipmunkNL
User level: Level 1
0 points

Mar 6, 2015 12:16 AM in response to Gene Van Buren

I have the exact same problem.

The site I want to reach is ideal.rabobank.nl (using https)

I have more than one mac in more than one location with the problem.

In FIrefox all is fine.

The common thing is that all the problem macs are running 10.6.8.

Running OS 10.10 all is fine. Sadly I can not run 10.10 because the modern safari is barely applescriptable...

Other browsers using webkit have the same problem as Safari.

Oddly I had the same problem last year of a few days, but then it magically went away.

My impression is that on the server side they changed something so that now encryption of a different flavour is demanded from the client and that webkit is not honoring the request.

All help much appreciated, Harald

Reply
User profile for user: ariSF
ariSF
User level: Level 1
8 points

Apr 18, 2015 5:56 PM in response to Gene Van Buren

my problems were also in safari and chrome - firefox was fine.

i also started having problems with iTunes issuing lots of security warnings - this caused it to be unusable.


the simple solution was to delete the Verisign certificates in my Keychain Access app


  1. "Keychain Access" app - on the left side, click on "login" keychain. Right Click on "Verisign Class 3 Public Primary Certification Authority - G5" and click delete. I also deleted other Verisign keys here, but not sure it is necessary. You can also select and delete - you dont have to right click.
  2. close your browser, open it. enjoy. no need to manually reinstall the certificates



problem seems related to Apple Mavericks/ML Security Update 2015-004. see:

http://security.stackexchange.com/questions/85830/why-is-symantec-verisign-ca-ap pearing-as-an-invalid-authority

https://productforums.google.com/forum/#!topic/chrome/SE3sKXg0iFQ

Reply
User profile for user: Gene Van Buren
Gene Van Buren Author
User level: Level 2
210 points

Apr 23, 2015 12:00 PM in response to ariSF

I'm now using Safari 7.1.5 and the problem persists. I have no problems with Firefox, Chrome, curl, nothing else. I've tried deleting certificates, to no avail..


The problem appears to be that Safari is having issues with the GlobalSign certificate, and some networks seem to ignore these issues while others don't.


https://support.globalsign.com/customer/portal/articles/1219303-organizationssl- intermediate-certificates

(GlobalSign Organization Validation CA - SHA256 - G2)


-Gene

Reply
User profile for user: Eric Root
Eric Root
User level: Level 10
685,215 points

Apr 24, 2015 7:43 AM in response to Gene Van Buren

From Safari Help

Change the trust settings of a certificate

You can view or change a certificate’strust policies in Keychain Access.

Open Keychain Access for me




  1. In the Category list, select a category.
  2. Select a certificate, then choose File > Get Info.
  3. Click the Trust disclosure triangle to display the trust policies for the certificate.
  4. To override the trust policies, choose new trust settings from the pop-up menus.



Safari Certificate not recognized

Reply
User profile for user: ron_13
ron_13
User level: Level 1
28 points

May 9, 2015 12:48 PM in response to ron_13

Just to be clear I followed the directions by Linc Davis to delete com.apple.idms.appleid.prd , after doing that Messages and FaceTime couldn't login, just kept getting activation errors, tried 4 times. In addition App Store and iTunes Store gave errors and stopped working, I was irritated. Followed ariSF directions to delete "Verisign Class 3 Public Primary Certification Authority - G5" and everything is back.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

SSL connection error with Safari (only) for one site

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up