Debugging Safari 11 unable to connect over SSL to a http2 web server

Sophie Loewenthal sophie at klunky.co.uk
Tue Jan 23 20:04:23 UTC 2018


Hi all,

Problem found. 

This really was caused by an SSL cert name mismatch.  


> On 23 Jan 2018, at 20:27, Sophie Loewenthal <sophie at klunky.co.uk> wrote:
> 
> Hi,
> 
> Chrome and Firefox can connect to my webserver over https running http2.  
> Safari 11 cannot, and gave no error messages other than "cannot connect".
> 
> There is a certificate name mismatch, but I thought Safari would still let me know why it did not connect. The SSL cert is otherwise valid.
> 
> I enabled debug on the vhost and had this logged below, but this does not tell me much. How could I investigate this further?  
> 
> 
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL certificate status callback
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-16
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-15
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-14
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: spdy/3.1
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: spdy/3
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: http/1.1
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN selected: h2
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_do_handshake: -1
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_get_error: 2
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 epoll add event: fd:3 op:1 ev:80002001
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 event timer add: 3: 12000:1516735067367
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 reusable connection: 0
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL handshake handler: 0
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_do_handshake: -1
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_get_error: 5
> 2018/01/23 19:17:35 [info] 16054#16054: *1 peer closed connection in SSL handshake while SSL handshaking, client: 178.xx.xx.xxx, server: 0.0.0.0:443
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 close http connection: 3
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 event timer del: 3: 1516735067367
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 reusable connection: 0
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 free: 0000561F72E17370, unused: 112
> 
> 
> The vhost is the same as the one I emailed about earlier:
> listen [::]:443 ipv6only=on ssl http2 ;
> 
>        server_name xx.com xx.com;
>        root /var/www/xx.com;
>        access_log /var/log/nginx/access.log combined_ssl;
>        error_log /var/log/nginx/error.log debug ;
> 
>        ssl_certificate         /etc/letsencrypt/live/xx/fullchain.pem ;
>        ssl_certificate_key     /etc/letsencrypt/live/xx/privkey.pem ;
>        ssl_prefer_server_ciphers on;
>        ssl_protocols TLSv1.2;
>        ssl_ecdh_curve  secp384r1;
>        ssl_session_timeout 9m;
>        ssl_session_tickets off;
>        ssl_stapling on;
>        ssl_stapling_verify on;
>        ssl_trusted_certificate /etc/letsencrypt/live/xx/chain.pem;
>        resolver 127.0.0.1 8.8.8.8 valid=300s;
>        resolver_timeout 2s;
>        #
>        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
>        #add_header  Strict-Transport-Security "max-age=0;";
>        add_header X-Content-Type-Options nosniff;
>        add_header X-XSS-Protection "1; mode=block";
>        add_header Referrer-Policy "no-referrer";
>        more_set_headers "Server: MyServerName";
> 
> 
> Best, Sophie.
> 
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list