Project

General

Profile

Bug #6539

completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed

Added by Bruce Wilson over 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Robert Waltz
Category:
d1_cn_buildout
Target version:
Start date:
Due date:
% Done:

100%

Milestone:
None
Product Version:
*
Story Points:
Sprint:

Description

On a system with Safari 7.1 and having client certificates installed, users are not able to get to anything on cn.dataone.org. The user is trapped in a cycle of approving certificate access, but after 15 approve and an allow-always, I was still not able to connect into the site.

Disable SSLVerifyClient for Safari users. The solution provided by Matt Jones will only work on apache webserver 2.4+. Since the version on Ubuntu 12.04 is 2.2, we have no recourse other than to delay until our systems are upgraded.

The file in the project dataone-cn-os-core /usr/share/dataone-cn-os-core/debian/cn-ssl has fix in it, but commented out.


Related issues

Related to Infrastructure - Bug #2693: Error -1205 "Client Certificate Rejected" by Safari Closed
Related to MN Dashboard - Bug #6506: Member Node Dashboard not loading in Safari 7.1 Closed 2014-10-06 2015-01-12

Associated revisions

Revision 18028
Added by Robert Waltz about 6 years ago

refs #6539

completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed.

Setting the ExpectContinuedEnabled property by the apache HttpComponents client's RequestConfig builder in order to add the Expect: 100-Continue header to the request.

Revision 18028
Added by Robert Waltz about 6 years ago

refs #6539

completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed.

Setting the ExpectContinuedEnabled property by the apache HttpComponents client's RequestConfig builder in order to add the Expect: 100-Continue header to the request.

Revision 18029
Added by Robert Waltz about 6 years ago

refs #6539

completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed

Revision 18029
Added by Robert Waltz about 6 years ago

refs #6539

completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed

Revision 18037
Added by Robert Waltz about 6 years ago

refs #6539

removing for now

Setting the ExpectContinuedEnabled property by the apache HttpComponents client's RequestConfig builder in order to add the Expect: 100-Continue header to the request.

Revision 18037
Added by Robert Waltz about 6 years ago

refs #6539

removing for now

Setting the ExpectContinuedEnabled property by the apache HttpComponents client's RequestConfig builder in order to add the Expect: 100-Continue header to the request.

Revision 18039
Added by Robert Waltz about 6 years ago

refs #6539

Need to delay this until we upgrade ubuntu.

reverting: completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed

Revision 18039
Added by Robert Waltz about 6 years ago

refs #6539

Need to delay this until we upgrade ubuntu.

reverting: completely unable to access cn.dataone.org from Safari 7.1 if user has any certificates installed

History

#1 Updated by Dave Vieglais over 7 years ago

  • Status changed from New to Rejected

This is a problem with Safari and it's interaction with servers where a client certificate is optional. See #2693

#2 Updated by Dave Vieglais about 6 years ago

  • Category set to d1_cn_buildout
  • Target version set to CCI-2.2.0
  • Assignee set to Robert Waltz
  • Status changed from Rejected to New

Chris suggests a fix like:

The issues with Safari (#2693, #6539) are still of course affecting Safari users. For the Arctic Data Center repository, NSF immediately contacted us about users having trouble connecting, and they estimated that 50% of the arctic researchers used Safari. In testing this, it seems that the most recent versions of Safari allow the user to ‘Cancel’ sending a certificate it found in the Keychain store, but it’s not the default action. Choosing the default action (‘Continue’) causes Safari to fail to connect over SSL.

So, to deal with this, we’ve added the following code to the Apache config:


SSLVerifyClient none

SSLVerifyClient optional

Effectively, it doesn’t request a client certificate for Apple WebKit-based browsers. We still see some issues with Chrome on Android with these settings, but it seems to alleviate the Safari issue. Since authentication tokens seem to be our preferred client-side means of authentication, this seemed like a reasonable sacrifice.
Anyway, I thought we might consider using this on the CNs, or something like it.

#3 Updated by Robert Waltz about 6 years ago

  • % Done changed from 0 to 30
  • Status changed from New to In Progress

#4 Updated by Robert Waltz about 6 years ago

  • % Done changed from 30 to 50
  • Status changed from In Progress to Testing

#5 Updated by Rob Nahf about 6 years ago

At least with Safari 9.1,
when first encountering a secure site, Safari lets you choose which certificate to use. If you hit cancel (once or twice) it will continue to connect without a client cert. Dave reports hitting escape works as well, with maybe fewer clicks).

However, once a certificate is chosen, Safari will remember your "identity preference" in Keychain, and you will not get the dialog in the future.

To clear out the preference, open Keychain application, select "All items" in the category filter, then start typing the server domain name in the search field. It will show any identity preference items, and you can select the one to delete.

https://discussions.apple.com/message/25649086#25649086

also see http://superuser.com/questions/343231/how-do-i-make-safari-automatically-use-a-particular-client-certificate-for-an-en

for a more in depth discussion and evolution of Safari's capabilities in this area.

#6 Updated by Robert Waltz about 6 years ago

  • Status changed from Testing to In Progress
  • % Done changed from 50 to 30

#7 Updated by Robert Waltz about 6 years ago

  • Status changed from In Progress to New
  • % Done changed from 30 to 0

#8 Updated by Robert Waltz about 6 years ago

  • Target version changed from CCI-2.2.0 to CCI-2.4.0

#9 Updated by Robert Waltz about 6 years ago

  • Description updated (diff)

#10 Updated by Dave Vieglais over 5 years ago

  • % Done changed from 0 to 100
  • Status changed from New to Closed

Appears to be resolved in 2.3.0 release.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)