Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Gene Van Buren
Gene Van Buren Author
User level: Level 2
210 points

SSL connection error with Safari (only) for one site

I've found that Safari has suddenly stopped being able to connect

to a single website (server) via https (SSL). The site works fine

in Firefox and Chrome (where I can view the certificate issued,

from GlobalSign), and even via curl from the command line. The

same server has some pages accessible via http (no SSL), and

that works fine in Safari.


Safari's error console reports:


[Error] Failed to load resource: An SSL error has occurred and a secure connection to the server cannot be made.


And the system log reports:


com.apple.WebKit.Networking[1610]: CFNetwork SSLHandshake failed (-9800)

com.apple.WebKit.Networking[1610]: CFNetwork SSLHandshake failed (-9802)

com.apple.WebKit.Networking[1610]: CFNetwork SSLHandshake failed (-9824)

com.apple.WebKit.Networking[1610]: NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)


I've tried the following (that I can remember):

- check date & time are OK

- reset Safari (including clear all web data)

- delete caches

- remove ~/Library/Preferences/com.apple.security.plist

and ~/Library/Preferences/com.apple.security.revocation.plist

- repair keychains in Keychain Access

- look for certificates that are expired or don't use the system defaults (none found)

- reboot

- reinstall OS X (10.9.5) and re-update to the latest Safari (7.1.2)


No dice.


Any other ideas?


Thanks,

-Gene

MacBook Pro, OS X Mavericks (10.9.5)

Posted on Jan 5, 2015 3:16 PM

Reply
Question marked as Best reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Posted on Jan 5, 2015 3:43 PM

Some websites require a special client certficate for access. If you don't have that certficate, you'll have to contact the site operator to find out how to get one.

Sometimes the problem is caused by a web server that is configured to request an optional client certificate. Safari treats the request as mandatory. In that case, other browsers such as Firefox and Chrome may be able to connect to the site, because they ignore the request.

The first time you were prompted for a certificate, you may have clicked through a dialog that requested access to the Apple certificate in your keychain that is used to secure the iMessage service. In that case, you may be able to regain access to the site in Safari by doing as follows.

Back up all data.

Double-click anywhere in the line below on this page to select it:

com.apple.idms.appleid.prd

Copy the selected text to the Clipboard by pressing the key combination command-C.

Launch the Keychain Access application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

Paste into the search field in the Keychain Access window by clicking in it and pressing the key combination command-V. An item may appear in the list of keychain items. The Name will begin with string you searched for, and the Kind will be "certificate."

Delete the item by selecting it and pressing the delete key. It will be recreated automatically the next time you launch the Messages or FaceTime application.

The next time you visit a site that prompts for an optional client certificate, cancel out of the prompt. You may have to do this several times before the server stops asking.

Credit for this idea to Christian Braukmueller of SAP.

View in context
24 replies
User profile for user: Gene Van Buren
Gene Van Buren Author
User level: Level 2
210 points

Jan 13, 2015 1:17 PM in response to Linc Davis

Some follow up items here...


1) I was incorrect in stating that I see the issue regardless of my network location. On one network behind a firewall/proxy, I have the issue. Outside that network (as Linc would be), the problem is not there (e.g. I do not see the problem at home). It is indeed correlated with the network.


2) Other OS X + Safari users on the same network share this problem (it appears universal to Macs, though limited variants tested).


3) I want to emphasize again that the problem is not there for Opera, Chrome, Firefox (Safari specific). Does anyone know what Safari does differently with certificates from other browsers?


A few of us continue to try to understand the issue here, but if anyone out there has more ideas or knows more, please let me know.


Thanks,

-Gene

Reply
User profile for user: ChipmunkNL
ChipmunkNL
User level: Level 1
0 points

Mar 6, 2015 12:16 AM in response to Gene Van Buren

I have the exact same problem.

The site I want to reach is ideal.rabobank.nl (using https)

I have more than one mac in more than one location with the problem.

In FIrefox all is fine.

The common thing is that all the problem macs are running 10.6.8.

Running OS 10.10 all is fine. Sadly I can not run 10.10 because the modern safari is barely applescriptable...

Other browsers using webkit have the same problem as Safari.

Oddly I had the same problem last year of a few days, but then it magically went away.

My impression is that on the server side they changed something so that now encryption of a different flavour is demanded from the client and that webkit is not honoring the request.

All help much appreciated, Harald

Reply
User profile for user: ariSF
ariSF
User level: Level 1
8 points

Apr 18, 2015 5:56 PM in response to Gene Van Buren

my problems were also in safari and chrome - firefox was fine.

i also started having problems with iTunes issuing lots of security warnings - this caused it to be unusable.


the simple solution was to delete the Verisign certificates in my Keychain Access app


  1. "Keychain Access" app - on the left side, click on "login" keychain. Right Click on "Verisign Class 3 Public Primary Certification Authority - G5" and click delete. I also deleted other Verisign keys here, but not sure it is necessary. You can also select and delete - you dont have to right click.
  2. close your browser, open it. enjoy. no need to manually reinstall the certificates



problem seems related to Apple Mavericks/ML Security Update 2015-004. see:

http://security.stackexchange.com/questions/85830/why-is-symantec-verisign-ca-ap pearing-as-an-invalid-authority

https://productforums.google.com/forum/#!topic/chrome/SE3sKXg0iFQ

Reply
User profile for user: Gene Van Buren
Gene Van Buren Author
User level: Level 2
210 points

Apr 23, 2015 12:00 PM in response to ariSF

I'm now using Safari 7.1.5 and the problem persists. I have no problems with Firefox, Chrome, curl, nothing else. I've tried deleting certificates, to no avail..


The problem appears to be that Safari is having issues with the GlobalSign certificate, and some networks seem to ignore these issues while others don't.


https://support.globalsign.com/customer/portal/articles/1219303-organizationssl- intermediate-certificates

(GlobalSign Organization Validation CA - SHA256 - G2)


-Gene

Reply
User profile for user: Eric Root
Eric Root
User level: Level 10
684,057 points

Apr 24, 2015 7:43 AM in response to Gene Van Buren

From Safari Help

Change the trust settings of a certificate

You can view or change a certificate’strust policies in Keychain Access.

Open Keychain Access for me




  1. In the Category list, select a category.
  2. Select a certificate, then choose File > Get Info.
  3. Click the Trust disclosure triangle to display the trust policies for the certificate.
  4. To override the trust policies, choose new trust settings from the pop-up menus.



Safari Certificate not recognized

Reply
User profile for user: ron_13
ron_13
User level: Level 1
28 points

May 9, 2015 12:48 PM in response to ron_13

Just to be clear I followed the directions by Linc Davis to delete com.apple.idms.appleid.prd , after doing that Messages and FaceTime couldn't login, just kept getting activation errors, tried 4 times. In addition App Store and iTunes Store gave errors and stopped working, I was irritated. Followed ariSF directions to delete "Verisign Class 3 Public Primary Certification Authority - G5" and everything is back.

Reply

SSL connection error with Safari (only) for one site

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up