I run https://symmetricstrength.com, and I'm having issues with Safari on both OS X and iOS. If I try to connect to the site with Safari, I get a "can't establish secure connection to the server" message.
If I check the system log on OS X, all I get is the message "CFNetwork SSLHandshake failed (-9800)".
Everything looks fine here:
https://www.sslshopper.com/ssl-checker.html#hostname=symmetricstrength.com
...And it gets an "A" rating on the SSL Labs test.
If I run:
openssl s_client -connect symmetricstrength.com:443
Everything looks fine:
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify return:1
depth=0 OU = GT01222950, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = symmetricstrength.com
verify return:1
---
Certificate chain
0 s:/OU=GT01222950/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=symmetricstrength.com
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIErTCCA5WgAwIBAgIDBb3zMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNTA3MTYxOTI5MzZaFw0xNjA3MTcyMjU2NTlaMIGZMRMw
EQYDVQQLEwpHVDAxMjIyOTUwMTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEeMBwGA1UEAxMVc3ltbWV0cmljc3RyZW5n
dGguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw+pX5uEoWR3/
xE9ZXyQMt3UtSzC4wfg7sVMBToJZYxgMtmN4rI1DvxrpsbWhCbF7sreV9DjJ8UHq
VjCbMci+Gtce7PdOjmJNxOhPC2egi7B0uV9LKkr4Lv243ecK7Z2l2bYjn9Ex9s6+
a/dX8UjU1xp2ZQJL2se+bcGbZ9G0sp3cx9XHtPZGr7i6KCjBf1YjaQNBaW/X6Kxp
/+4A01JkL/1KMCMmlRaQMgrNPMz4eNdGq/iVw/1tXZqpwUGTVqUwU5Kibc6+Vxgc
r7EFLrQoHdC37Y4ytYk1iVJ7OIaT+D+xFwNIKYnhQCBgHnbT+VCF6r0sl2xCetas
H2U8wdQ7XwIDAQABo4IBTTCCAUkwHwYDVR0jBBgwFoAUw5zz/NNGCDS7zkZ/oHxb
8+IIy1kwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vZ3Yuc3lt
Y2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNydDAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCAG
A1UdEQQZMBeCFXN5bW1ldHJpY3N0cmVuZ3RoLmNvbTArBgNVHR8EJDAiMCCgHqAc
hhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNybDAMBgNVHRMBAf8EAjAAMEEGA1Ud
IAQ6MDgwNgYGZ4EMAQIBMCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnJhcGlk
c3NsLmNvbS9sZWdhbDANBgkqhkiG9w0BAQsFAAOCAQEAQgzv7L5TMTC9yFHx9cdk
/Oo3aD6iEF+oTsdWHU4HjYheP5oZLYr3ThVzJf3ecz8GICeyE7ERe0aRjF4lGjSw
ZQk3FI99bBiBm/+fMt5Qq2inWiYb1tqVdsvfhhe9SChsbglZQ7xMLpp86DxIwVrU
yBTyeMH1A/eXlUSCqEaK2C2YWHpkI2X2CgCK4RvC+DWh2dH6zrz5seWmuS5wy0xO
OC12OlnDjDnbY1eV+GdGC3jHJpsAjTW4RW9bCqxX48DQ+tZd7QSA9JU6FW3xwfdK
TdCLULuG8DSiuqDrUIH41Va7doJvaPiwcnZ10X+eoUYGSeNYQS16t0+7wEJbhg1+
9A==
-----END CERTIFICATE-----
subject=/OU=GT01222950/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=symmetricstrength.com
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2763 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: D5E0FC9750A76E610A86E36BD9FD44B0AE45C7DAC7450DCAA877A4FDBD55415C
Session-ID-ctx:
Master-Key: 2B428D6C3DC193B80E9E3D52E1E6000107814792ECEE672E3A88A8EE52E7827B006413B34D9B09639B98EBBB24885DB8
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1441806161
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
Safari fails to connect not only on my computer & iPad, but for several other users (including if I test on sites like Browsershots). Chrome, IE, Firefox, Opera, and a few other browsers I tested all work fine.
The site is running on the Warp web server and was deployed using the latest version of Keter (1.4.3.1). I think the problem may have started when I upgraded to the latest version of Warp/Keter which may have changed some of the SSL settings. Prior to the update, my site failed the SSL labs test since it supported insecure renegotiation, but after the update it passes fine.
Any ideas?
