[asterisk-dev] Can't connect to Jira with Safari OS/X

Fri Jul 8 12:52:05 CDT 2011

On Fri, Jul 8, 2011 at 11:23 AM, Kevin P. Fleming <kpfleming at digium.com> wrote:
> On 07/08/2011 10:51 AM, Olle E. Johansson wrote:
>>
>> 8 jul 2011 kl. 16.31 skrev Kevin P. Fleming:
>>
>>> On 07/08/2011 09:28 AM, Olle E. Johansson wrote:
>>>>
>>>> My Safari claims it can't open a secure connection to
>>>> issues.asterisk.org
>>>>
>>>> Can someone at Digium forward this to IT staff? THe error message would
>>>> not make sense to them, since it's localized into Swedish.
>>>
>>> The IT staff doesn't run the JIRA system, we here in Engineering do :-)
>>>
>>> In addition, we're aware of this problem, and it appears to be a bug in
>>> Safari. The Apache proxy that sits in front of JIRA is configured to request
>>> (but not require) an SSL client certificate, as we use that method for
>>> providing privileged access to some JIRA accounts. It seems that Safari does
>>> not know how to deal with this request properly, but other browsers handle
>>> it just fine. It doesn't seem to be restricted to OS/X either... Safari on
>>> Windows has the same problem.
>>>
>>> Unfortunately it's not possible to reconfigure Apache to avoid this
>>> problem; we don't know what HTTP user-agent is in use until after the
>>> SSL/TLS negotiations are completed.
>>
>> Check the SSLinsecurenegotiation parameter. I've just had a similar
>> problem with an SSL client using a buggy OpenSSL. Maybe Safari suffers from
>> the same.
>>
>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation
>
> That's re-negotiation; I'm pretty sure that this problem is happening during
> the initial negotiation, not re-negotiation.

No, that's re-negotiation.  The Apache server cannot know what URL was requested
until after the SSL session is already established; therefore, it can
only ask for a
client certificate during renegotiation, once the /jira/ path is
known.  Going to the base
URL just confirms that it's renegotiation that is the problem.

-- 
Tilghman