Apple/Safari browsers (all current versions) have a bug where if they attempt to connect to a SSL client-authenticated website, and have client certs in their keystore whos signers/chain is not solicited during SSL handshake.. then Safari may send the unsolicited cert anyway.
This is a problem even for sites that have 'SSLVerifyClient optional' or 'SSLVerifyClient optional_no_ca' configured;
The message displayed by Safari is:
client certificate rejected: NSURLErrorSomain:-1205
The message logged in the openssl based webserver is:
SSL Failure error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca
My questions is, is/should it be possible (and isn't it innocuous) for the web server to configure the openssl library to NOT send that error back or drop the connection, in the case where client-auth is optional? If so, what API functions would be used? (I will not make the change myself; I would forward this info to the specific web server vendor, though I can attest that this also is an issue for Apache sites + Safari)
Thanks very much in advance,
ken
- Option to disable NSURLErrorSomain:-1205? (Safari bug with... Ken Johanson
- Re: Option to disable NSURLErrorSomain:-1205? (Safari... Victor Duchovni
- Re: Option to disable NSURLErrorSomain:-1205? (Sa... Ken Johanson
