Welcome! Log In Create A New Profile

Advanced

Debugging Safari 11 unable to connect over SSL to a http2 web server

Posted by Sophie Loewenthal 
Hi,

Chrome and Firefox can connect to my webserver over https running http2.
Safari 11 cannot, and gave no error messages other than "cannot connect".

There is a certificate name mismatch, but I thought Safari would still let me know why it did not connect. The SSL cert is otherwise valid.

I enabled debug on the vhost and had this logged below, but this does not tell me much. How could I investigate this further?


2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL certificate status callback
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-16
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-15
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-14
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: spdy/3.1
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: spdy/3
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: http/1.1
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN selected: h2
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_do_handshake: -1
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_get_error: 2
2018/01/23 19:17:35 [debug] 16054#16054: *1 epoll add event: fd:3 op:1 ev:80002001
2018/01/23 19:17:35 [debug] 16054#16054: *1 event timer add: 3: 12000:1516735067367
2018/01/23 19:17:35 [debug] 16054#16054: *1 reusable connection: 0
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL handshake handler: 0
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_do_handshake: -1
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_get_error: 5
2018/01/23 19:17:35 [info] 16054#16054: *1 peer closed connection in SSL handshake while SSL handshaking, client: 178.xx.xx.xxx, server: 0.0.0.0:443
2018/01/23 19:17:35 [debug] 16054#16054: *1 close http connection: 3
2018/01/23 19:17:35 [debug] 16054#16054: *1 event timer del: 3: 1516735067367
2018/01/23 19:17:35 [debug] 16054#16054: *1 reusable connection: 0
2018/01/23 19:17:35 [debug] 16054#16054: *1 free: 0000561F72E17370, unused: 112


The vhost is the same as the one I emailed about earlier:
listen [::]:443 ipv6only=on ssl http2 ;

server_name xx.com xx.com;
root /var/www/xx.com;
access_log /var/log/nginx/access.log combined_ssl;
error_log /var/log/nginx/error.log debug ;

ssl_certificate /etc/letsencrypt/live/xx/fullchain.pem ;
ssl_certificate_key /etc/letsencrypt/live/xx/privkey.pem ;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 9m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/xx/chain.pem;
resolver 127.0.0.1 8.8.8.8 valid=300s;
resolver_timeout 2s;
#
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
#add_header Strict-Transport-Security "max-age=0;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer";
more_set_headers "Server: MyServerName";


Best, Sophie.


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Hi all,

Problem found.

This really was caused by an SSL cert name mismatch.


> On 23 Jan 2018, at 20:27, Sophie Loewenthal <[email protected]> wrote:
>
> Hi,
>
> Chrome and Firefox can connect to my webserver over https running http2.
> Safari 11 cannot, and gave no error messages other than "cannot connect".
>
> There is a certificate name mismatch, but I thought Safari would still let me know why it did not connect. The SSL cert is otherwise valid.
>
> I enabled debug on the vhost and had this logged below, but this does not tell me much. How could I investigate this further?
>
>
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL certificate status callback
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-16
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-15
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-14
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: spdy/3.1
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: spdy/3
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: http/1.1
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN selected: h2
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_do_handshake: -1
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_get_error: 2
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 epoll add event: fd:3 op:1 ev:80002001
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 event timer add: 3: 12000:1516735067367
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 reusable connection: 0
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL handshake handler: 0
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_do_handshake: -1
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_get_error: 5
> 2018/01/23 19:17:35 [info] 16054#16054: *1 peer closed connection in SSL handshake while SSL handshaking, client: 178.xx.xx.xxx, server: 0.0.0.0:443
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 close http connection: 3
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 event timer del: 3: 1516735067367
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 reusable connection: 0
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 free: 0000561F72E17370, unused: 112
>
>
> The vhost is the same as the one I emailed about earlier:
> listen [::]:443 ipv6only=on ssl http2 ;
>
> server_name xx.com xx.com;
> root /var/www/xx.com;
> access_log /var/log/nginx/access.log combined_ssl;
> error_log /var/log/nginx/error.log debug ;
>
> ssl_certificate /etc/letsencrypt/live/xx/fullchain.pem ;
> ssl_certificate_key /etc/letsencrypt/live/xx/privkey.pem ;
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1.2;
> ssl_ecdh_curve secp384r1;
> ssl_session_timeout 9m;
> ssl_session_tickets off;
> ssl_stapling on;
> ssl_stapling_verify on;
> ssl_trusted_certificate /etc/letsencrypt/live/xx/chain.pem;
> resolver 127.0.0.1 8.8.8.8 valid=300s;
> resolver_timeout 2s;
> #
> add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
> #add_header Strict-Transport-Security "max-age=0;";
> add_header X-Content-Type-Options nosniff;
> add_header X-XSS-Protection "1; mode=block";
> add_header Referrer-Policy "no-referrer";
> more_set_headers "Server: MyServerName";
>
>
> Best, Sophie.
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login