Bug #6539
completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed
100%
Description
On a system with Safari 7.1 and having client certificates installed, users are not able to get to anything on cn.dataone.org. The user is trapped in a cycle of approving certificate access, but after 15 approve and an allow-always, I was still not able to connect into the site.
Disable SSLVerifyClient for Safari users. The solution provided by Matt Jones will only work on apache webserver 2.4+. Since the version on Ubuntu 12.04 is 2.2, we have no recourse other than to delay until our systems are upgraded.
The file in the project dataone-cn-os-core /usr/share/dataone-cn-os-core/debian/cn-ssl has fix in it, but commented out.
Related issues
Associated revisions
refs #6539
completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed.
Setting the ExpectContinuedEnabled property by the apache HttpComponents client's RequestConfig builder in order to add the Expect: 100-Continue header to the request.
refs #6539
completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed.
Setting the ExpectContinuedEnabled property by the apache HttpComponents client's RequestConfig builder in order to add the Expect: 100-Continue header to the request.
refs #6539
completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed
refs #6539
completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed
refs #6539
removing for now
Setting the ExpectContinuedEnabled property by the apache HttpComponents client's RequestConfig builder in order to add the Expect: 100-Continue header to the request.
refs #6539
removing for now
Setting the ExpectContinuedEnabled property by the apache HttpComponents client's RequestConfig builder in order to add the Expect: 100-Continue header to the request.
refs #6539
Need to delay this until we upgrade ubuntu.
reverting: completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed
refs #6539
Need to delay this until we upgrade ubuntu.
reverting: completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed
History
#1 Updated by Dave Vieglais over 9 years ago
- Status changed from New to Rejected
This is a problem with Safari and it's interaction with servers where a client certificate is optional. See #2693
#2 Updated by Dave Vieglais over 8 years ago
- Category set to d1_cn_buildout
- Target version set to CCI-2.2.0
- Assignee set to Robert Waltz
- Status changed from Rejected to New
Chris suggests a fix like:
The issues with Safari (#2693, #6539) are still of course affecting Safari users. For the Arctic Data Center repository, NSF immediately contacted us about users having trouble connecting, and they estimated that 50% of the arctic researchers used Safari. In testing this, it seems that the most recent versions of Safari allow the user to ‘Cancel’ sending a certificate it found in the Keychain store, but it’s not the default action. Choosing the default action (‘Continue’) causes Safari to fail to connect over SSL.
So, to deal with this, we’ve added the following code to the Apache config:
SSLVerifyClient none
SSLVerifyClient optional
Effectively, it doesn’t request a client certificate for Apple WebKit-based browsers. We still see some issues with Chrome on Android with these settings, but it seems to alleviate the Safari issue. Since authentication tokens seem to be our preferred client-side means of authentication, this seemed like a reasonable sacrifice.
Anyway, I thought we might consider using this on the CNs, or something like it.
#3 Updated by Robert Waltz over 8 years ago
- % Done changed from 0 to 30
- Status changed from New to In Progress
#4 Updated by Robert Waltz over 8 years ago
- % Done changed from 30 to 50
- Status changed from In Progress to Testing
#5 Updated by Rob Nahf over 8 years ago
At least with Safari 9.1,
when first encountering a secure site, Safari lets you choose which certificate to use. If you hit cancel (once or twice) it will continue to connect without a client cert. Dave reports hitting escape works as well, with maybe fewer clicks).
However, once a certificate is chosen, Safari will remember your "identity preference" in Keychain, and you will not get the dialog in the future.
To clear out the preference, open Keychain application, select "All items" in the category filter, then start typing the server domain name in the search field. It will show any identity preference items, and you can select the one to delete.
https://discussions.apple.com/message/25649086#25649086
for a more in depth discussion and evolution of Safari's capabilities in this area.
#6 Updated by Robert Waltz over 8 years ago
- Status changed from Testing to In Progress
- % Done changed from 50 to 30
#7 Updated by Robert Waltz over 8 years ago
- Status changed from In Progress to New
- % Done changed from 30 to 0
#8 Updated by Robert Waltz over 8 years ago
- Target version changed from CCI-2.2.0 to CCI-2.4.0
#9 Updated by Robert Waltz over 8 years ago
- Description updated (diff)
#10 Updated by Dave Vieglais almost 8 years ago
- % Done changed from 0 to 100
- Status changed from New to Closed
Appears to be resolved in 2.3.0 release.
