Unable connect to NGX website from Safari

luislavena · July 29, 2011, 11:12pm

Hello,
We can not access NGX website with Safari, the error window shows:
No certificate available
No certificates meet the applications
Click OK to continue.

However, after I click OK, it does not go to website.

I have on problem to connect website using Firefox, IE, or Chrome.

Any idea how to solve it from NGX site?
Thanks,
Yanxin

yanxin_z · July 30, 2011, 11:06pm

Am 7/29/2011 11:12 PM, schrieb Yanxin Z.:

Hello,
We can not access NGX website with Safari, the error window shows:
No certificate available
No certificates meet the applications
Click OK to continue.

However, after I click OK, it does not go to website.

I have on problem to connect website using Firefox, IE, or Chrome.

It’s probably a problem with your configuration. Hard to tell what the
problem is exactly without having a clue about your actual configuration
details.

The first thing I would do is to use curl to debug the situation. It has
very verbose output, so you can see exactly what’s going on. Since it’s
working with all browsers but Safari, my guess it’s an error situation
that the other browsers can deal with, hence it should be a more common
issue.

yanxin_z · August 2, 2011, 1:48am

Hi my config is here:

    ssl                  on;
    ssl_certificate      ssl/eng.cert.pem;
    ssl_certificate_key  ssl/key.nopasswd.pem;
    ssl_client_certificate ssl/ca.crt;
    ssl_verify_client    optional;
    ssl_verify_depth     2;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

I also dump the packet with wireshark. It showd “server Hello” did not
finish with client side.

The issue only happens in Safari 5.1

Thank you!
Yanxin

yanxin_z · August 2, 2011, 3:51am

Can you also provide HTTP header and ssl logs?

James

yanxin_z · August 2, 2011, 7:47am

On Tue, Aug 02, 2011 at 06:55:05AM +0200, Yanxin Z. wrote:

Hi James,
Thank you very much.
Do you mean turn on NGX debug log? Could you please tell me how to get
it?
Right now, I turn on error and access log only, however, I do not see
any log in NGX side.

The issue happens in Safari 5.1 (7354.50), which I downloaded from
Apple.
Yanxin

http://nginx.org/en/docs/debugging_log.html

–
Igor S.

yanxin_z · August 2, 2011, 9:20am

Hi Igor,
I turned on debug log, but I do not see any information associated with
the connection.
I have the pcap file which was captured from wireshark. Do you want to
take a look? I can send it to your mailbox then.
Thank you.
Yanxin

yanxin_z · August 2, 2011, 6:55am

Hi James,
Thank you very much.
Do you mean turn on NGX debug log? Could you please tell me how to get
it?
Right now, I turn on error and access log only, however, I do not see
any log in NGX side.

The issue happens in Safari 5.1 (7354.50), which I downloaded from
Apple.
Yanxin

yanxin_z · August 2, 2011, 11:29pm

Thank you so much for you help, Igor.

To sum up, the issue is related with
ssl_verify_client optional;

Safari 5 also send client certificate to NGX server, which does not have
needed information.
For other browser, there is no such behavior.

Right now, I comment out this line, then it’s working now.

Thank you, Igor.
Yanxin

yanxin_z · August 2, 2011, 4:36pm

On Tue, Aug 02, 2011 at 09:20:48AM +0200, Yanxin Z. wrote:

Hi Igor,
I turned on debug log, but I do not see any information associated with
the connection.
I have the pcap file which was captured from wireshark. Do you want to
take a look? I can send it to your mailbox then.
Thank you.
Yanxin

OK, please send this to me, [email protected]

–
Igor S.