I downloaded safari 3.0.1 beta for Windows and immediately went to my dev site. When I typed in the url, safari gave me this message: (I substituted example for the domain name) -- Safari can’t open the page “https://www5.dev.example.com/index.html” because it couldn’t establish a secure connection to the server “www5.dev.example.com”. -- Unfortunately, the site is an internal domain on the company's network so it can not be accessed from outside. I can get to it fine in Firefox and in IE. I'm thinking that it is a problem with the SSL cert. It is a verisign cert that is made for the wildcard domain of *.example.com. I've searched the web and found a few items about this issue: http://blog.fupps.com/2007/06/11/safari-on-windows-where-are-the-certificates/ http://itinfo.mit.edu/answer.php?id=7336 The second mentions that I should clear out the keychain. I tried resetting the browser but that didn't help. I did a search in bugzilla for "secure connection" but was unable to find anything.
SSL negotiation is all handled at a lower level than WebKit. While I am not able to reproduce this problem at present, it seems quite likely that the problem would be in this lower level rather than in WebKit itself.
I can confirm this bug in the latest Safari 3.0.3 for Windows as well as Webkit Nightly r25282 on a site: https://www.complex.com.pl. The server uses certificate for poczta.complex.com.pl. If I load a page: https://poczta.complex.com.pl Safari has no problem with it, but if I load a page https://www.complex.com.pl Safari refuses to load this page reporting: "Safari can’t open the page “https://www.complex.com.pl/” because it couldn’t establish a secure connection to the server “www.complex.com.pl”." Other tested browsers: Opera 9, Firefox 2 and Internet Explorer 7 have no problem with it.
Robert, the site you mention does not use a wildcard SSL certificate so it would appear to be unrelated to this specific bug report.
IMHO the problem isn't caused by wild card itself, but generally by mismatch domain names.
<rdar://problem/5451664>
Trevan and Robert, could you retest with Safari 3.0.4? Thanks!
(In reply to comment #6) > Trevan and Robert, could you retest with Safari 3.0.4? Thanks! https://www.complex.com.pl/ - the same issue as described above. No progress :(
(In reply to comment #7) > (In reply to comment #6) > > Trevan and Robert, could you retest with Safari 3.0.4? Thanks! > > https://www.complex.com.pl/ - the same issue as described above. No progress :( I think this is a separate issue, so I filed <rdar://problem/5639392> for it. This issue is not in WebKit itself, so I did not open a new Bugzilla bug for it. Does the issue with wildcard SSL certificates still exist?
This is still an issue.. at least this is an issue for Safari 3.2.1 on an OSX machine
(In reply to comment #9) > This is still an issue.. at least this is an issue for Safari 3.2.1 on an OSX > machine Which web site are you testing with?
(In reply to comment #10) > (In reply to comment #9) > > This is still an issue.. at least this is an issue for Safari 3.2.1 on an OSX > > machine > > Which web site are you testing with? > nymag.com http://nymag.com/daily/intel/2009/01/commercial_jet_crashes_in_the.html
Can we change the status of this from UNCONFIRMED to confirmed?? Also not just with XP but OSX as well??
(In reply to comment #12) > Can we change the status of this from UNCONFIRMED to confirmed?? Also not just > with XP but OSX as well?? Confirmed. How do you find a link on nymag.com that automatically redirects to the login page? The previous link you posted doesn't work anymore.
(In reply to comment #13) > (In reply to comment #12) > > Can we change the status of this from UNCONFIRMED to confirmed?? Also not just > > with XP but OSX as well?? > > Confirmed. How do you find a link on nymag.com that automatically redirects to > the login page? The previous link you posted doesn't work anymore. > The ssl request were taking down temporarily until this is figured out. What i'm going to try and do is get with our admins to find a page we can throw up the cert or something as it was for testing/diagnosis..
(In reply to comment #13) > (In reply to comment #12) > > Can we change the status of this from UNCONFIRMED to confirmed?? Also not just > > with XP but OSX as well?? > > Confirmed. How do you find a link on nymag.com that automatically redirects to > the login page? The previous link you posted doesn't work anymore. > Can you edit your hosts file and point secure.nymag.com to 64.193.120.81 ??
(In reply to comment #15) > (In reply to comment #13) > > (In reply to comment #12) > > > Can we change the status of this from UNCONFIRMED to confirmed?? Also not just > > > with XP but OSX as well?? > > > > Confirmed. How do you find a link on nymag.com that automatically redirects to > > the login page? The previous link you posted doesn't work anymore. > > > > Can you edit your hosts file and point secure.nymag.com to 64.193.120.81 > > ?? > Err, just to confirm that after you do that you should be able to go to that link and test. It should say that the cert hasn't been signed etc etc even though it has been etc. Let me know if you need anything from me. I'm using a webkit nightly to test.
(In reply to comment #16) > (In reply to comment #15) > > (In reply to comment #13) > > > (In reply to comment #12) > > > > Can we change the status of this from UNCONFIRMED to confirmed?? Also not just > > > > with XP but OSX as well?? > > > > > > Confirmed. How do you find a link on nymag.com that automatically redirects to > > > the login page? The previous link you posted doesn't work anymore. > > > > > > > Can you edit your hosts file and point secure.nymag.com to 64.193.120.81 > > > > ?? > > Err, just to confirm that after you do that you should be able to go to that > link and test. It should say that the cert hasn't been signed etc etc even > though it has been etc. Let me know if you need anything from me. I'm using a > webkit nightly to test. Christopher, I can't get my /etc/hosts file to make secure.nymag.com resolve to 64.193.120.81. Can you add the redirect behavior back for any request coming from the 17.*.*.* network? Also, what specific versions of Mac OS X (and Safari) that you've tested are having this issue?
> Christopher, I can't get my /etc/hosts file to make secure.nymag.com resolve to > 64.193.120.81. Can you add the redirect behavior back for any request coming > from the 17.*.*.* network? > > Also, what specific versions of Mac OS X (and Safari) that you've tested are > having this issue? > Can't do that this all production stuff that is used to manage nymag.com and it's network. That's weird though I posted an example hosts file that is working for me off site. If we can't get that working I maybe able to copy the wildcard cert somewhere and see if that helps. Let me know. ## # Host Database # # localhost is used to configure the loopback interface # when the system is booting. Do not change this entry. ## 127.0.0.1 localhost 255.255.255.255 broadcasthost ::1 localhost fe80::1%lo0 localhost 64.193.120.81 secure.nymag.com
Me and David had a bit of back and forth; just to update the bug here we are currently waiting on some info but i'd like to keep the bug open to be sure. In the meantime if anyone can duplicate the error with another wildcard cert from verisign email me..
(In reply to comment #19) > the meantime if anyone can duplicate the error with another wildcard cert from > verisign email me.. Not a verisign example (Comodo instead), but: https://0-scifinder.cas.org.sculib.scu.edu Works fine in Firefox 3.0.6 (Mac/Win). Doesn't work on Safari 3.2.1 (Mac) or IE7 (WinXP). Server is an HTML rewriting proxy server similar to EZProxy [ http://www.oclc.org/ezproxy/ ] that is used to allow for authenticated off-campus access to remote resources to appear as coming from on-campus.
(In reply to comment #20) > (In reply to comment #19) > > the meantime if anyone can duplicate the error with another wildcard cert from > > verisign email me.. > > Not a verisign example (Comodo instead), but: > https://0-scifinder.cas.org.sculib.scu.edu > > Works fine in Firefox 3.0.6 (Mac/Win). Doesn't work on Safari 3.2.1 (Mac) or > IE7 (WinXP). > > Server is an HTML rewriting proxy server similar to EZProxy [ > http://www.oclc.org/ezproxy/ ] that is used to allow for authenticated > off-campus access to remote resources to appear as coming from on-campus. > You got a dummy login?? I connect on 443 fine is it after the login? That, after accepting the certificate etc that this occurs?
(In reply to comment #20) > Not a verisign example (Comodo instead), but: > https://0-scifinder.cas.org.sculib.scu.edu When I load the above URL in Safari 4 Public Beta in Tiger 10.4.11, I do not get a certificate warning. When I load the above URL in Safari 4 Public Beta in Leopard 10.5.6, I do get a certificate warning.
(In reply to comment #22) > (In reply to comment #20) > > Not a verisign example (Comodo instead), but: > > https://0-scifinder.cas.org.sculib.scu.edu > > When I load the above URL in Safari 4 Public Beta in Tiger 10.4.11, I do not > get a certificate warning. > > When I load the above URL in Safari 4 Public Beta in Leopard 10.5.6, I do get a > certificate warning. > I can confirm on my new macbook this isn't an issue Leopard 10.5.6 I accept certificate and things are fine.. I don't have a windows box around or i'd try that..
(In reply to comment #23) > (In reply to comment #22) > > (In reply to comment #20) > > > Not a verisign example (Comodo instead), but: > > > https://0-scifinder.cas.org.sculib.scu.edu > > > > When I load the above URL in Safari 4 Public Beta in Tiger 10.4.11, I do not > > get a certificate warning. > > > > When I load the above URL in Safari 4 Public Beta in Leopard 10.5.6, I do get a > > certificate warning. > > I can confirm on my new macbook this isn't an issue Leopard 10.5.6 I accept > certificate and things are fine.. I don't have a windows box around or i'd try > that.. But the bug is that you shouldn't have to accept the certificate at all!! :)
(In reply to comment #24) > (In reply to comment #23) > > (In reply to comment #22) > > > (In reply to comment #20) > > > > Not a verisign example (Comodo instead), but: > > > > https://0-scifinder.cas.org.sculib.scu.edu > > > > > > When I load the above URL in Safari 4 Public Beta in Tiger 10.4.11, I do not > > > get a certificate warning. > > > > > > When I load the above URL in Safari 4 Public Beta in Leopard 10.5.6, I do get a > > > certificate warning. > > > > I can confirm on my new macbook this isn't an issue Leopard 10.5.6 I accept > > certificate and things are fine.. I don't have a windows box around or i'd try > > that.. > > But the bug is that you shouldn't have to accept the certificate at all!! :) > I thought I replied to this, hrmm my brain must really be turning into mush.. The bug for me is that I have to repeatedly accept the certificate and not just accept it once; you should be able to get a secure connection with the certificate once it's been downloaded. That works for the above; otherwise it's screwed.
(In reply to comment #24) > (In reply to comment #23) > > (In reply to comment #22) > > > (In reply to comment #20) > > > > Not a verisign example (Comodo instead), but: > > > > https://0-scifinder.cas.org.sculib.scu.edu > > > > > > When I load the above URL in Safari 4 Public Beta in Tiger 10.4.11, I do not > > > get a certificate warning. > > > > > > When I load the above URL in Safari 4 Public Beta in Leopard 10.5.6, I do get a > > > certificate warning. > > > > I can confirm on my new macbook this isn't an issue Leopard 10.5.6 I accept > > certificate and things are fine.. I don't have a windows box around or i'd try > > that.. > > But the bug is that you shouldn't have to accept the certificate at all!! :) In this case, Tiger is wrong. You should get a certificate warning because a wild card certificate for *.sculib.scu.edu doesn't "match" 0-scifinder.cas.org.sculib.scu.edu. To put it another way, the "*" in the wild card certificate only matches one subdomain name--it can't cross "." boundaries. So in this test case, the behavior in Leopard is correct. (In reply to comment #25) > I thought I replied to this, hrmm my brain must really be turning into mush.. > The bug for me is that I have to repeatedly accept the certificate and not just > accept it once; you should be able to get a secure connection with the > certificate once it's been downloaded. That works for the above; otherwise it's > screwed. I still can't reproduce this locally by changing /etc/hosts. We REALLY need a "hidden" test URL that does the redirection to make this reproduce easily.