Debugging Safari 11 unable to connect over SSL to a http2 web server

Sophie Loewenthal sophie at klunky.co.uk
Tue Jan 23 19:27:26 UTC 2018 

Hi,

Chrome and Firefox can connect to my webserver over https running http2.  
Safari 11 cannot, and gave no error messages other than "cannot connect".

There is a certificate name mismatch, but I thought Safari would still let me know why it did not connect. The SSL cert is otherwise valid.

I enabled debug on the vhost and had this logged below, but this does not tell me much. How could I investigate this further?  


2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL certificate status callback
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-16
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-15
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-14
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: spdy/3.1
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: spdy/3
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: http/1.1
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN selected: h2
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_do_handshake: -1
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_get_error: 2
2018/01/23 19:17:35 [debug] 16054#16054: *1 epoll add event: fd:3 op:1 ev:80002001
2018/01/23 19:17:35 [debug] 16054#16054: *1 event timer add: 3: 12000:1516735067367
2018/01/23 19:17:35 [debug] 16054#16054: *1 reusable connection: 0
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL handshake handler: 0
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_do_handshake: -1
2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_get_error: 5
2018/01/23 19:17:35 [info] 16054#16054: *1 peer closed connection in SSL handshake while SSL handshaking, client: 178.xx.xx.xxx, server: 0.0.0.0:443
2018/01/23 19:17:35 [debug] 16054#16054: *1 close http connection: 3
2018/01/23 19:17:35 [debug] 16054#16054: *1 event timer del: 3: 1516735067367
2018/01/23 19:17:35 [debug] 16054#16054: *1 reusable connection: 0
2018/01/23 19:17:35 [debug] 16054#16054: *1 free: 0000561F72E17370, unused: 112


The vhost is the same as the one I emailed about earlier:
listen [::]:443 ipv6only=on ssl http2 ;

        server_name xx.com xx.com;
        root /var/www/xx.com;
        access_log /var/log/nginx/access.log combined_ssl;
        error_log /var/log/nginx/error.log debug ;

        ssl_certificate         /etc/letsencrypt/live/xx/fullchain.pem ;
        ssl_certificate_key     /etc/letsencrypt/live/xx/privkey.pem ;
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1.2;
        ssl_ecdh_curve  secp384r1;
        ssl_session_timeout 9m;
        ssl_session_tickets off;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/letsencrypt/live/xx/chain.pem;
        resolver 127.0.0.1 8.8.8.8 valid=300s;
        resolver_timeout 2s;
        #
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
        #add_header  Strict-Transport-Security "max-age=0;";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy "no-referrer";
        more_set_headers "Server: MyServerName";


Best, Sophie.

More information about the nginx mailing list