-1

Issue:

Unable to access authentication site on our server because "Safari couldn't establish a secure connection" so i'm troubleshooting and trying to pin point where the problem lies.

More details:

On mac devices Safari can't establish a connection to our server through an HTTPS connection. However accessing through HTTP is possible. On the other hand Chrome no issue at all.

On iOS devices, Safari, Chrome, and Firefox cannot establish a connection to our server.

I checked with our cert issuer, Go Daddy and used their online tool to check if everything was implemented correctly and it comes back positive.

Looking into the logs i get

com.apple.WebKit.Networking: CFNetwork SSLHandshake failed(-9846) com.apple.WebKit.Networking: CFNetwork SSLHandshake failed(-9802) com.apple.WebKit.Networking: CFNetwork SSLHandshake failed(-9824) com.apple.WebKit.Networking: NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9824)

Question:

Where is SSL Validation handled? OS or the browser or both?

My thought is it could be related to our recently issued SSL certificate.

Bookpen
  • 1
  • 1
  • 1
    "everything checks out and nothing "seems" to be wrong with the certificate `except when I'm trying to access the authentication site/log in.`" - Well, that's not nothing then, is it? Maybe tell us about that. – joeqwerty Nov 16 '18 at 17:14
  • I did. If you read the ISSUE and MORE DETAILS that's where I have it. I guess I should had put I checked with our cert issuer but I thought "everything checks out" was enough @joeqwerty I apologize – Bookpen Nov 16 '18 at 17:20
  • What kind of certificate is it? Self-signed, private CA, or public CA? – guzzijason Nov 16 '18 at 17:27
  • Your statement that "everything seems fine EXCEPT when..." was confusing and contradictory. I was asking for you to clarify. It either works or it doesn't work. – joeqwerty Nov 16 '18 at 17:28
  • @guzzijason It's a public CA = Go Daddy – Bookpen Nov 16 '18 at 17:30
  • Have you tried an SSL checker, like https://www.ssllabs.com/ssltest? – joeqwerty Nov 16 '18 at 17:31
  • @joeqwerty I used Go Daddy's SSL checker and checked with your link but everything comes back positive with an overall rating of **A**. Also, it comes back as trusted by Mozilla, Apple, Android, Java, Windows. It does list some Cipher weak points so I'll look into that – Bookpen Nov 16 '18 at 17:34
  • 1
    I was starting to think ciphers. Insecure ciphers might cause Safari to complain. – guzzijason Nov 16 '18 at 17:45

1 Answers1

1

Use SSL Labs to check your SSL: https://www.ssllabs.com/ssltest/

At the end of the report it will tell you which browsers it works on and which it does not.

According to this question the problem may be in the Cipher used. The SSL Labs report shows which Ciphers you use, showing which ones are out of date.

A good tool for generating an SSL configuration that works in legacy browsers is the Mozilla SSL Configuration Generator.

Tom
  • 217
  • 3
  • 12