Thanks for your comprehensive response Am Mi., 1. Nov. 2023 um 12:11 Uhr schrieb Nick Couchman <[email protected]>: > > You may need to bump up error logging on the Guacamole Client side, through > the logback.xml file, to get an idea of what's happening. Also, I'm not sure > how feasible it is to get a debug console on the Safari browser on iOS and > see what the JavaScript console is saying? I will try that, but I need a few days for that.
> The fact that you're having the issue only on Safari on IOS is puzzling, > because even Chrome on IOS uses Apple's WebKit rendering engine, rather than > the Chrome engine, which is a requirement for any browser running on IOS. So > it's odd that you'd see any difference at all. Sorry, I think this was inaccurately explained from my side. I think it works in chrome, because there is no way to set a client certificate. This is only possible with Safari. - nginx: request certificate - safari: send certificate -> error page - chrome: does not send any certificate -> works until no validation is happend I'm pretty sure, if I would remove the client certificate from safari, itt would work too (until I enable validation) > I'm not sure I understand what you're trying to say, here? The certificates > shouldn't be changing - the server has a certificate, the client has a > certificate, and they exchange these when they do the TLS handshake at the > beginning of the connection, but they aren't changing certificates? I have no knowledge about the code, so I don't know what really happened. But just from the error messages/behavoiur (nextcloud app, not guacamole) it looks like that the App see at first the server certificate and says "valid" (or asks if self signed). After that, nginx ask for client certificate, iOS/webkit/app is sending it, but the app consider it as a new server certificate and asks for validation (as it's not signed by a public CA). > I would think if there were "flapping" you wouldn't see the > "ERROR_PAGE_UNAVAILABLE" issue, you'd see constant re-loading or something > like that? Hard to say, maybe it just stops as the ssl connection is treated as invalid? But I think it does not make that much sense to speculate without knowing if it's really related. > I think some more information is required. If it is a bug, I'm not sure how > it's a Guacamole-related bug, when you've already confirmed that every other > browser - including Chrome using WebKit on IOS - functions as expected? Seems > something peculiar to Safari?? Yes, I will try to get more information with logback.xml. I will also try firefox on x86 machines as I assume its either a guacamole thing or a webkit thing. Thanks again Henning : PS: my instance is running under guacamole.07q.de/guacamole which should accessible with the following certificate: ( echo '$base64-code-from-the-bottom' | base64 -d > example.p12 and than add it as client certificate with password "test") MIINIQIBAzCCDOcGCSqGSIb3DQEHAaCCDNgEggzUMIIM0DCCB4cGCSqGSIb3DQEHBqCCB3gwggd0 AgEAMIIHbQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI8V8YDXE4ngICAggAgIIHQE5xZuEd pKZERx0shSwTdbpJoVg0fHtTn4pHs8zB7HRIlueMsRTksbcVyrvEY7i5Mdx1yyDfVkllfgj17tnN 8UNf+H1BJb/uKuHv6AsNafbNBmiQs9dBIRxGDeHj3EelJOV+OoPY6dN+55tmR3Djjg9m+9LPL1au s3Ui9MY6sC4PHfdJLR3jGgfBOcmfzXFjrUhV+3RZz4S9alTbJeBYROt69xFlstxlC1BKGolNSFyY 1HMpVmP9MWQfJPQpgP5u8EhQmGxRMnPKahc6h56j5YCQDYXrba5ubXs7M/RqV/NzTNp54j6SNYVT VVzOoZr96wga0I5GQnuxkKZpvVsaIapeqtewhvgKoyGd48GrGR2t2B9+JANFS8uU+WB9BYRfTAdd ohnRG7VO+msnC1oY6Fu+GmCfkVja+jX9n39xyzq+cLo1/25ev9niKEVqhpuFkkYlLREIBfHxE88A l6pv2I4Hz8cyG0eiSxrhJ3vl/CPB3p5wTxRqWbRjuRSXXJM09MWPlX3UUAG/X5wU21gydVhzNSfH tVlsE2GdNsxNcJLk4QL2TdLPcyAJuGtu6tN8sFNoVh6fgJfm9QQZxjtF9Gw0XQ89GjD2GWgLUkLC WHM7gNKz45/We7pr67qULj06cv7Cjmi3C3gpcqOW/tdhB2aT8ny11bN93XwpPMM3WMl4Td5WTfR5 mwVYalxUzcz7s9IUqxWkJ2+nyBHRGh0R3ZAAOrQ2JvPqGEjWr3cVfpQYb0K8+l1oTdw1+Lhw/bQy oNFatZYgU1QOeUYNF20LKljyKeTE1+wKjzuRuRTzT08w1iQgKd3hfa1bRfgV2I9xo9NR7P7gT+Mj iJn38ggiYrjQY6i4SG53/jcIu7zljF1AJs9bkYFPTPoRxkXSFADWXezPJfV9NlI2GoHHteXQpG10 ckruuP08Bs0dGhxz4a6IGgJM+DHhb0crfZjUW6Ues7Z6ATn7y+RhrpWQhvc0eGuwXdEuMcv54hsQ 58TT+PaE/rZlosqrYnQS1GqUksa6r8W2qk8vYf3IV6nUvuc9i/xf/vpI9N7vKz/2qWPPCpzyo9j1 8wKs7+cNZipXPfqknbaCcW/lIbpIG9u6g6BNDB2hzyFqjjMS1MpljFG63xGlj/vI0dQSm8o3lG83 9Zk+efx6nu2lJTiY32kg4/73kGf2v8Ep4iWCiWAwAyHGuFBPq3zcGie3CrqK6nv2Ecdlog9K/6ZU JSmNj+5L6+oINbMFtfYu1X6yZ3fQ8d0+1vGZUbIjeKl/d8UYy1mptGSn86RVbqJiHv7T3UaiyuE6 GI/yEivzy0jPnflfviBYzsT3Q++4pbP+a4Iz+FxqvrjCvf4RpGBD+xHIXySyeI5wC9KuBSmuFEBN JnjYNwmOVuNw7KQpJrhXBaZhcAm4AiJj0fIgU8g7r2PU6Zq4vqW8+VM7DFlmgErDsecXtwXMQ2a0 69rvuni57wOa9KRgM9uxLeXzdM45nWDAHbplJZtpQuxzAZAdPFqsmC7fJBygJqsi8b2q/aiHudr4 4GnVI941oOvVLgJo6tLWyHxlzXBfgRFsXIS83IIRYxbB4Y4lXhQ0OhQnMG2jX/HGsxElF2xz777q 1MWs8jVbeEU4sW2ai2o+8sFxB1c+Re15wFVdqZ+rY9dDOWnmPJdblNvDqRAKBWp0qejuGdTsb86b Ol4J2nstE41zQ2LFhyW+AVQ9AT8lPKRfgJpKnc3XnJ/fhRCOLG147olxRoUv57ZEZSGHR5eWlQ5P KT+3r4p3f0UUKQsaiFLEVB7Hr1xrSF0m//HEOPJwMx1Dh8tcNCP0ja0y+VznRAVj8iMJXQMuezRc gWmlJQDCZ/IF+p9HjkyVwrIxqygN1QtKYPt3wH6E3kwU5iR7NsIHrgCWPxJE4pdHh+We1iKMmhsD dsr3NtjVv6yi2Ba4BglISTWOSwYkBAg6sjQbf9u/qnVjSY2dn6uhrgOLt8lycqVra/vnPrCri+lN +ivQ0z2Gl+NL6lu4gVA4+zjxM6dIPW5X3Er9KtFb25iraHgLZoFB1ignLozMfbiGvcObrGARPXOz kkmld8bMUFqKHfBaouMuz17Y8VFNPwECXHu+njPqDC/wtVMNS9vzw76e8gu4soqFA686AiAiBwuz GSf4YuWd6y5YOvBnaXEzCgfNOVduM0j7F/fEZwrV2qARC68EMLvtKXR3DyJ7/iCN0Ck2rIamOpSz rZSsEGfTnfzWcwPO8TbzqLGJrIKRo5xgWSMeEESIjz8N0u1a0mSHGjMD5Zdig/PU59p01/fwY7VM 7563h44iW0a3Y/Ia4Nw1EbfWNJtpf49AOpoesddiQsYU/5scypr2uevmSqBMCBNE7H/zfiAJVKA+ 58fV1xEHpX7ToLEErZwtNs7hsMXCrBqO425NrWZU4wJChXCuIEIYTYGRZ+q2xhktrfQlDlvIi4Rm gYPLoBx7pJWGJ3fcDL3gL+/Cql88IT5nM9JCMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIF JgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECLlhb5VWwcj7AgIIAASCBMjy mH/ZTiVi9ZRfDKRoab6VYDAb7vjlGOl/T0JhEPj7btGwCghNyOWaGT+XCe6hck2XD9qmPliu3tR3 yDmt+wozlzg3GfeQmTYZO5ppYogDHPpQ5DFmX8Tz39e/T/9YXdAhAYpI3Ag2oyx9eatjw+hNSUuP 7ReT1NWNntbP2od0YlmvSc9ZuR0VgLrF06OdZb9dtpaU1HkvskfdrHysRi8VoMRYkxyCldhv+cEg 9mihElr8q3Rriz9wcFPnnhkmt9GUO9I8mJGpL3+O3myZkp7dNMCzjS+bwWZaXqd9/8JGPneKaS/2 r5PVPAJFZJhI7fVDsCa7AqHlONhK6TBIv3FI4ZzMD9zv5kToYAUx+b9kac65A76ZJgc1qaMBclNm ki++1QXSw2zC3kbetebGXeZ2ujLcYNFuP2JPMnAr2Aa1+7peoVQJ/9b3RQ41jtMCpN8ZYnznHUI0 FtO5yozVqlyUlQ5AwfunKd0txYoo1BH07bKOMmXzwTa1sGsbPXNFXDALYyCIL0rrEeQ9DHk3u7hA MUp4IrnAkz2BXgLyrSjMFolDZ0ql2aLeeZ4cP5tOpoO6GUfaVYC5tmCyJtTX0h78nEorafPnBHC2 SaqEurm/WMGiZPayi40DI5wrMiFnq7GgY7Q5WlZth7WcpjwFe+u7JGW0cB3JuleoEI3qoF0DKkBl x/vAWv7w7nPg7Y5bLBSHukTJuMt9dAGQJrlAVfgMeonxUdA0SB4NOHTXDBxhrOSgZLswpkG8RoIA YuDLFsbznXE2uBFtsk4UwZmnEzoSczm69PeX/ty4D95+PIiHQs2cdsIrfnMjmCrvvYfEQUHjlPL/ eWFGoNCOho+/aCF0oMo8v3g+hnuCM640+vE7tSScORpZFVRdIdV3ZmiA1xCXaUYwPDGx3IZkqhrU Ax1MZLNFUZQ6gdt0i8qJZIABg3Lzqp9HKEZPSb3z1SG6eHigT7ehjGe4eGEpFLXSquaN8D0v8LR9 Ap2S+gQMQqDvQrBgiU3E4kj9zfcCsfcJKYPkM9Jjg/6lwADZWMH9NaXMncqmG9WrWdGuYo+Up3xU TA2YutbSDVAZ7A0GSxCmtY1dj7f5lNZ2EzFzUjRKX73eG+ENigWgcnKZBFYOBN7DNb+TU6g9uRIA G5Vg1rshecLy52dpxOPeDXKigmKrgg+7uB8B44cUftgrX9rZNFB6nA4OvBOEmW1i+mCn7y6+VrTD efFqqcqe4g6YgoIGePrWFI4Mmr194oTTv+e+9Jqs4XtLs68B8CoxZJI3Rm8DXuoWk2jx6xlM7T0+ m3f9XZkroXAmN0aHRF/dI2uBdYnYBBjaz8rx6QlVTgCk+IJhj+FzjtvjbdrduMlOramYJRSRHSG7 XfnFIc1cdzRmHm9VcdeRucmMVlYCA8ZtMziUmpfUvkElzCMoRilQQEytXuK4VFrOFnlZOyprf7aq uwbQNQF8co+2NhRLpcTl8jfwTFAw/u5VZFgKsg8ETooUKxVDlQkoEvGYO7F9oDwsYRO5O46cAGkh tABUDvF5Omflehg7hXzema6oWSe80M1bo75m3LGPVSLc601dd/1HyZ+s0P9qflwtq5Ov2svEQ/6C zvyQMkqfXxDAd27Dn+KVsetxsZCmW1BNBPMxJTAjBgkqhkiG9w0BCRUxFgQUChlqMK0McSgF9bUt 4S5XhI2e83QwMTAhMAkGBSsOAwIaBQAEFHApHuL25slcYrMXwrr1canJ0LfqBAjyB5lTYYtXbwIC CAA= --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
