0

Safari tells me that it couldn't open the page, because it couldn't establish a secure connection to the server. However, other browsers (opera, firefox) can open the page. Also, there's nothing in the apache error log.

The certificate is selfsigned, and uses standard values. (seen here: http://www.knaupes.net/tutorial-ssl-zertifikat-selbst-erstellen-und-signieren/ )

ssl config:

SSLEngine on
#SSLInsecureRenegotiation on 
SSLCertificateFile /home/gemeinde/certs/selfsigned/gemeinde.crt
SSLCertificateKeyFile /home/gemeinde/certs/selfsigned/gemeinde.key
#SSLCACertificateFile /home/gemeinde/certs/Platinum_G2.pem
#SSLOptions +StdEnvVars

<Location "/">
     SSLOptions +StdEnvVars +OptRenegotiate
     SSLVerifyClient optional
     SSLVerifyDepth 10
</Location>
Bryan
  • 7,538
  • 15
  • 68
  • 92
pharno
  • 3
  • 1
  • 3

1 Answers1

2

Had a similar issue and only working solution seemed to be to enable insecure SSL renegotiation (the second line commented out in your config sample). Seems that Safari fails to do safe renegotiation with client certificates, or something.

You can confirm that by setting Apache LogLevel to debug and checking if you see something like this:

[Fri May 27 12:47:24 2011] [debug] ssl_engine_kernel.c(510): [client 192.168.1.225] Changed client verification type will force renegotiation, referer: 
[Fri May 27 12:47:24 2011] [info] [client 192.168.1.225] Requesting connection re-negotiation, referer: 
[Fri May 27 12:47:24 2011] [debug] ssl_engine_io.c(1920): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f099f75e870 [mem: 7f099f823de0]
[Fri May 27 12:47:24 2011] [debug] ssl_engine_kernel.c(764): [client 192.168.1.225] Performing full renegotiation: complete handshake protocol (client does not support secure renegotiation), referer: 
[Fri May 27 12:47:24 2011] [debug] ssl_engine_kernel.c(1916): OpenSSL: Handshake: start
[Fri May 27 12:47:24 2011] [debug] ssl_engine_kernel.c(1924): OpenSSL: Loop: SSL renegotiate ciphers
[Fri May 27 12:47:24 2011] [debug] ssl_engine_kernel.c(1924): OpenSSL: Loop: SSLv3 write hello request A
[Fri May 27 12:47:24 2011] [debug] ssl_engine_kernel.c(1924): OpenSSL: Loop: SSLv3 flush data
[Fri May 27 12:47:24 2011] [debug] ssl_engine_kernel.c(1924): OpenSSL: Loop: SSLv3 write hello request C
[Fri May 27 12:47:24 2011] [info] [client 192.168.1.225] Awaiting re-negotiation handshake, referer:
Wesley
  • 32,320
  • 9
  • 80
  • 116
Juhana Räsänen
  • 21
  • 2