Cannot access HTTPS urls; Safari hangs blank, crashes

Question

Level 1

149 points

Cannot access HTTPS urls; Safari hangs blank, crashes

At noon today (11/30) Safari suddenly began refusing to go to https pages to allow me to login to secure websites. (I am using Firefox to enter this topic.)

I have "Reset Safari", tossed Safari cache files, tossed System cache (kext) files and LaunchServices files, and removed Safari's pref folder and plist file out of my Preferences folder. I have installed all system updates (more than a week ago, so they do not appear to be the trigger for today's problem) and installed security update 2006-007 this afternoon after the problem began. I have also reset my cable modem, verified that Network is properly configured with no proxies checked inadvertently. I have turned IPv6 from Automatic to Off. I have used Onyx to clear all caches and perform maintenance routines. I have repaired permissions. Nothing has worked.

Does anyone have a suggestion on how to correct this problem? Firefox, Mail, and other applications that access the net are working fine, so it appears to be a Safari problem, but I suppose it could be a problem with a System file that Safari uses to perform https operations. Any ideas?

Thanks for the help.

Steve

15 AlBookG4-1.25GHz Mdl-A1046 Mac OS X (10.4.8)

Posted on Nov 30, 2006 4:10 PM

Reply

Answer 1

themask

Level 4

3,133 points

Nov 30, 2006 6:58 PM in response to Steve BC

Steve,
you tried most everything I would have suggested. There is only one thing I read in other posts that you don't mention: X.509 certificates in Keychain.

Take a look at these posts and see if they can help. Long shot, I know...
Hope this helps!

Reply

Answer 2

SPD

Level 3

530 points

Dec 2, 2006 11:16 AM in response to Steve BC

I'm having the same issue. Originally I thought it may be due to the installation of a Cisco vpn client, which I happened to install on Thursday.

Like you, I tried all the tricks too. Still no luck at all. ITS has not been much help at my school.

I think we're going to have to wait this one out until Apple solves the problem.

Since Gecko browsers (Firefox and Camino) work, but WebKit versions do not (Safari, OmniWeb, or Shiira), I'm assuming it has something to do with the recent security update and WebKit browsers.

Reply

Answer 3

SPD

Level 3

530 points

Dec 2, 2006 11:37 AM in response to themask

Thanks for suggesting Pacifist. I used it to check the WebKit framework and got this message:

The following files’ checksums did not match those specified in the package. The files may simply have been updated to a later version, or they may have been tampered with.
Changed Files:
/System/Library/Frameworks/WebKit.framework/Versions/A/WebKit

Since this seems to be, for me, a WebKit issue, is there any way to install another version of the WebKit framework? Or will this only mess up things more?

Thanks.

MacBook 1.83; iMac G5 17; PB G4/400; iMac G4 700 Mac OS X (10.4.8)

Reply

Answer 4

Steve BC Author

Level 1

149 points

Dec 2, 2006 4:05 PM in response to Steve BC

First, I want to thank all of you for posting here. I really appreciate it.

To themask: I would never have thought of it being a problem with the X509 stuff. I know the Mac environment pretty well, but I have never seen any information that truly sets out what certificates and anchors are, how they function, and (most particularly) what to do to verify a certificate that Safari is not finding acceptable. However, the posts you pointed me to were informative enough that I tried various things to get the X509 files to reset or be replaced to the proper ones. Unfortunately, the stuff I did was not successful and things got even flakier. I did verify to my satisfaction that the problem at least began as a problem with one or more root certificates. Among the things I tried were reapplying the 10.4.8 Combo updater and getting replacement X509 files from another computer that was working properly, but it just wasn't any use in fixing the issue.

So I reformatted the disk and reinstalled everything. Nuking the disk may seem like overkill here, but a possible contributor to this problem is the fact that I had to replace my hard drive about a month ago and was not confident that the tech who replaced the drive reinstalled the OS fully and properly. It felt to me that the original X509 problem was cascading into other problems, until I just felt that reformatting was the only way to be sure I got all the bugs.

As far as I can tell so far, everything is back up and running normally.

Again, thanks to each of you for participating in this thread and helping me out. I consider the issue closed.

Steve

15 AlBookG4-1.25GHz Mdl-A1046 Mac OS X (10.4.8)

15 AlBookG4-1.25GHz Mdl-A1046 Mac OS X (10.4.2)

15 AlBookG4-1.25GHz Mdl-A1046 Mac OS X (10.4.8)

Reply

Answer 5

V3G4

Level 1

0 points

Dec 3, 2006 5:17 PM in response to Steve BC

I'm having problems too with HTTPS. I had to use Firefox as well to post here. I tried most of the stuff listed in posts here with not much result. Safari got a little faster but still no luck on HTTPS log-ins. One thing I did do was:

- Log in into my ROOT account and try using Safari to do secure web log-ins.

Everything worked in that account. So it seems whatever happened, happened in my secondary / everyday account. I thought it might have been the recent security update that did it. But if that was the case, it would effect root as well. I thought PithHelmet might have done something as well, but turning everything off, accepting all cookies and no blocking still doesn't solve the issue.

If someone figures something out, please keep posting here. I would much rather be using Safari than Firefox. But right now I can't...

1.67 G4 Pbook , 500 G4 Pbook,Dual 2.7 G5 Tower Mac OS X (10.4.8) Also Dell P4 for Gigasampler

1.67 G4 Pbook , 500 G4 Pbook,Dual 2.7 G5 Tower Mac OS X (10.4.7) Also Dell P4 for Gigasampler

Reply

Answer 6

V3G4

Level 1

0 points

Dec 3, 2006 5:35 PM in response to V3G4

Just an update:

This doesn't happen on every HTTPS site. My website admin. page uses secure log-in with HTTPs and I can get in fine there. Anybody think Java could be part of the problem?

Reply

Answer 7

SPD

Level 3

530 points

Dec 3, 2006 6:44 PM in response to V3G4

Sorry I can't answer your question here; I noticed the same thing with a couple sites. Problem is, it takes forever for those https that are accessible to load. Usually I don't have the patience and assume they don't work.

I don't know enough about java either to venture any guesses. The only constant seems to be WebKit and the recent security update. Ergo...

Reply

Answer 8

Dec 3, 2006 8:19 PM in response to Steve BC

I experienced not being able to access HTTPS - Secure Sites this my Solution:
Go to Applications > Utilities: Open Keychain Access
Keychain Access > Preferences: 'Certificates'
Check - 'Online Certificate Status Protocol' (OCSP): OFF
'Certificate Revocation List' (CRL): OFF
Priority: OCSP (this will be greyed out)

Also check in Keychain Access the keychain 'X509Anchors' for any Certificates with a Red Cross beside them ...... highlight these and delete them (they are invalid).
Then Open Safari and access a Secure HTTPS Site.

Chers,
Ronni

1.67GHz G4 PowerBook 1.5GB DDR2 SDRAM 120GB HD Mac OS X (10.4.8)

Reply

Answer 9

V3G4

Level 1

0 points

Dec 3, 2006 10:16 PM in response to snowflake

Go to Applications > Utilities: Open Keychain Access
Keychain Access > Preferences: 'Certificates'
Check - 'Online Certificate Status Protocol' (OCSP): OFF
'Certificate Revocation List' (CRL): OFF
Priority: OCSP (this will be greyed out)

Also check in Keychain Access the keychain 'X509Anchors' for any Certificates with a Red Cross beside them ...... highlight these and delete them (they are invalid).
Then Open Safari and access a Secure HTTPS Site.

This worked for me. Of course now I don't have certificates. Which I do kinda need for banking stuff and high security sites.

APPLE, YOU NEED TO FIX THIS!!!!

1.67 G4 Pbook , 500 G4 Pbook,Dual 2.7 G5 Tower Mac OS X (10.4.7) Also Dell P4 for Gigasampler

1.67 G4 Pbook , 500 G4 Pbook,Dual 2.7 G5 Tower Mac OS X (10.4.7) Also Dell P4 for Gigasampler

Reply

Answer 10

SPD

Level 3

530 points

Dec 4, 2006 12:00 AM in response to snowflake

I experienced not being able to access HTTPS - Secure
Sites this my Solution:
Go to Applications > Utilities: Open Keychain
Access
Keychain Access > Preferences: 'Certificates'
Check - 'Online Certificate Status Protocol' (OCSP):
OFF
'Certificate Revocation List'
(CRL): OFF
Priority: OCSP (this will be greyed out)

Also check in Keychain Access the keychain
'X509Anchors' for any Certificates with a Red Cross
beside them ...... highlight these and delete them
(they are invalid).
Then Open Safari and access a Secure HTTPS Site.

Chers,
Ronni

Genius! How did you figure this out? I've been working on this problem for days. Thanks so much!

MacBook 1.83; iMac G5 17; PB G4/400; iMac G4 700 Mac OS X (10.4.8)

Reply

Answer 11

Petterf

Level 2

399 points

Dec 4, 2006 8:05 AM in response to snowflake

Wow I'm not alone on this one.

My problems began, I believe, after running the Security Update 2006-007 (10.4.8 Client PPC).
Maill.app hanged or timed out after 1 minute every time I accessed my accounts which is done over SSL and when trying to access HTTPS sites Safari hangs as well. So I understood there is something with the secure connections or certificates but I never tested to turn them off.

Thanks for the help!
Now when I can access radar.apple.com I'll file a bug report on this.

Reply

Answer 12

Steve BC Author

Level 1

149 points

Dec 4, 2006 8:21 AM in response to snowflake

From Ronnie the Snowflake (nice name! 🙂 ):
"I experienced not being able to access HTTPS - Secure Sites this my Solution:
Go to Applications > Utilities: Open Keychain Access
Keychain Access > Preferences: 'Certificates'
Check - 'Online Certificate Status Protocol' (OCSP): OFF
'Certificate Revocation List' (CRL): OFF
Priority: OCSP (this will be greyed out)
Also check in Keychain Access the keychain 'X509Anchors' for any Certificates with a Red Cross beside them ...... highlight these and delete them (they are invalid).
Then Open Safari and access a Secure HTTPS Site."

I thought about doing something like this, but I simply don't know enough about protocols and certificates to understand what I would be doing. It seems to me that, in turning OFF these protocols, you are turning off the system's ability to verify certificates and therefore are eliminating the system's ability to authenticate your certificates, in which case your system is no longer able to recognize when a certificate has expired or for good reason becomes invalid or otherwise should not be trusted. It seems to me that this would degrade your SSL and other security protocols over time. I really have no clue on this but rather am making an assumption.

Perhaps someone can post a URI for an article that clearly explains anchors, certificates, protocols, and so on, in a coherent way, so I would have a better idea how to handle this kind of problem in the future.

Also, I might add that my problems with root certificates, etc., began shortly after I deleted a red-crossed root certificate for the first time in my entire life. I have no idea whether the issue I ended up having was related to that, although it would seem not, on theoretical grounds, yet (magical thinking) once-bitten, you know...

Further note that I did not apply Security Update 2006-007 until after I began having this problem, so the problem does not appear to have anything to do with that update.

Steve

Reply

Answer 13

Petterf

Level 2

399 points

Dec 4, 2006 9:36 AM in response to Steve BC

It might have been a pure coincidence for me that it happened the same day as I applied the patch.

Reply

Answer 14

Dec 4, 2006 11:23 AM in response to Steve BC

Hi all,

I've experienced this problem for a few days. For me it's started with the last sec update.
It appears to be tied to server certs issued by "VeriSign Class 3 Public Primary Certification Authority - G3", at least I have two different banking sites using certs from Verisign that are very slooow. Safari also considers these server certs as invalid, Safari claims that the issuer is, i.e. Verisign, is not approved (similar wording).

I've also tried a number of tricks (cache-cleaning etc) and looked in the X509 anchor list.

And naturally, Firefox does NOT have any problems.

I do believe that this is an Apple problem.

I also would appreciate tips and solutions.

/Anders Holm, Sweden

MacBook Pro Mac OS X (10.4.8)

Reply

Answer 15

Dec 4, 2006 11:59 AM in response to Anders Holm

More info.

Using the "Certificate Assistant" available from the Keychain appl. I attempted to check the certs that the banks with problems present.

And something strange, or curious, turned up: the Assistant tool claims that there is a host name mismatch. This means that Safari (or Mac OS) believes/claims that the domain name that I am retrieving the server cert from does NOT match the domain name in the server cert. But this is not true.

I really do not understand what is happening here, but it sort of reinforces my belief that this is an Apple problem.

/AH

Reply