Debugging Safari 11 unable to connect over SSL to a http2 web server
Sophie Loewenthal
sophie at klunky.co.uk
Tue Jan 23 20:04:23 UTC 2018
Hi all,
Problem found.
This really was caused by an SSL cert name mismatch.
> On 23 Jan 2018, at 20:27, Sophie Loewenthal <sophie at klunky.co.uk> wrote:
>
> Hi,
>
> Chrome and Firefox can connect to my webserver over https running http2.
> Safari 11 cannot, and gave no error messages other than "cannot connect".
>
> There is a certificate name mismatch, but I thought Safari would still let me know why it did not connect. The SSL cert is otherwise valid.
>
> I enabled debug on the vhost and had this logged below, but this does not tell me much. How could I investigate this further?
>
>
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL certificate status callback
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-16
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-15
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: h2-14
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: spdy/3.1
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: spdy/3
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN supported by client: http/1.1
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL ALPN selected: h2
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_do_handshake: -1
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_get_error: 2
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 epoll add event: fd:3 op:1 ev:80002001
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 event timer add: 3: 12000:1516735067367
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 reusable connection: 0
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL handshake handler: 0
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_do_handshake: -1
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 SSL_get_error: 5
> 2018/01/23 19:17:35 [info] 16054#16054: *1 peer closed connection in SSL handshake while SSL handshaking, client: 178.xx.xx.xxx, server: 0.0.0.0:443
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 close http connection: 3
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 event timer del: 3: 1516735067367
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 reusable connection: 0
> 2018/01/23 19:17:35 [debug] 16054#16054: *1 free: 0000561F72E17370, unused: 112
>
>
> The vhost is the same as the one I emailed about earlier:
> listen [::]:443 ipv6only=on ssl http2 ;
>
> server_name xx.com xx.com;
> root /var/www/xx.com;
> access_log /var/log/nginx/access.log combined_ssl;
> error_log /var/log/nginx/error.log debug ;
>
> ssl_certificate /etc/letsencrypt/live/xx/fullchain.pem ;
> ssl_certificate_key /etc/letsencrypt/live/xx/privkey.pem ;
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1.2;
> ssl_ecdh_curve secp384r1;
> ssl_session_timeout 9m;
> ssl_session_tickets off;
> ssl_stapling on;
> ssl_stapling_verify on;
> ssl_trusted_certificate /etc/letsencrypt/live/xx/chain.pem;
> resolver 127.0.0.1 8.8.8.8 valid=300s;
> resolver_timeout 2s;
> #
> add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
> #add_header Strict-Transport-Security "max-age=0;";
> add_header X-Content-Type-Options nosniff;
> add_header X-XSS-Protection "1; mode=block";
> add_header Referrer-Policy "no-referrer";
> more_set_headers "Server: MyServerName";
>
>
> Best, Sophie.
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
More information about the nginx
mailing list