HTTPS doesn't work with Safari

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite
1












I have an EC2 instance with Apache as webserver (and Wildfly as app-server, although I'm not sure it has anything to do with this issue). In front of EC2 I have a load balancer which terminates HTTPS and applies the SSL cert.



Both HTTP and HTTPS works fine in Chrome, but unfortunately not in Safari. Accessing http://test.papereed.com works fine, but accessing https://test.papereed.com gives the error



"Safari can't open the page. The error is "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)"


I've looked in /etc/httpd/logs/error_log and /etc/httpd/logs/access_log and also in the Safari console without finding any hint to solving the problem. And that's about how far my knowledge goes :-( Any hints how to trace this issue would be much appreciated.










share|improve this question



























    up vote
    2
    down vote

    favorite
    1












    I have an EC2 instance with Apache as webserver (and Wildfly as app-server, although I'm not sure it has anything to do with this issue). In front of EC2 I have a load balancer which terminates HTTPS and applies the SSL cert.



    Both HTTP and HTTPS works fine in Chrome, but unfortunately not in Safari. Accessing http://test.papereed.com works fine, but accessing https://test.papereed.com gives the error



    "Safari can't open the page. The error is "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)"


    I've looked in /etc/httpd/logs/error_log and /etc/httpd/logs/access_log and also in the Safari console without finding any hint to solving the problem. And that's about how far my knowledge goes :-( Any hints how to trace this issue would be much appreciated.










    share|improve this question

























      up vote
      2
      down vote

      favorite
      1









      up vote
      2
      down vote

      favorite
      1






      1





      I have an EC2 instance with Apache as webserver (and Wildfly as app-server, although I'm not sure it has anything to do with this issue). In front of EC2 I have a load balancer which terminates HTTPS and applies the SSL cert.



      Both HTTP and HTTPS works fine in Chrome, but unfortunately not in Safari. Accessing http://test.papereed.com works fine, but accessing https://test.papereed.com gives the error



      "Safari can't open the page. The error is "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)"


      I've looked in /etc/httpd/logs/error_log and /etc/httpd/logs/access_log and also in the Safari console without finding any hint to solving the problem. And that's about how far my knowledge goes :-( Any hints how to trace this issue would be much appreciated.










      share|improve this question















      I have an EC2 instance with Apache as webserver (and Wildfly as app-server, although I'm not sure it has anything to do with this issue). In front of EC2 I have a load balancer which terminates HTTPS and applies the SSL cert.



      Both HTTP and HTTPS works fine in Chrome, but unfortunately not in Safari. Accessing http://test.papereed.com works fine, but accessing https://test.papereed.com gives the error



      "Safari can't open the page. The error is "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)"


      I've looked in /etc/httpd/logs/error_log and /etc/httpd/logs/access_log and also in the Safari console without finding any hint to solving the problem. And that's about how far my knowledge goes :-( Any hints how to trace this issue would be much appreciated.







      ssl https safari






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 3 hours ago









      Tim

      16.2k31845




      16.2k31845










      asked 3 hours ago









      jola

      5316




      5316




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          3
          down vote













          curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:




          http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]




          It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:




          An endpoint MUST NOT
          generate an HTTP/2 message containing connection-specific header
          fields; any message containing connection-specific header fields MUST
          be treated as malformed
          (Section 8.1.2.6).... connection-
          specific header fields, such as Keep-Alive, Proxy-Connection,
          Transfer-Encoding, and Upgrade




          It looks for me a bug since Apache should not send this header with HTTP/2.



          My guess is that you have a configuration like this



          Protocols h2 h2c http/1.1


          Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with



          Protocols h2 http/1.1


          This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.






          share|improve this answer





























            up vote
            1
            down vote













            I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.



            Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.



            I found this possible solution to the problem.




            The solution was to go into Safari Preferences, under Privacy and list
            all Details. This provided a log of all sites where cookies, etc had
            been used. I found the Weather Network domain page and cleared all
            content from it. I was then able to reload the Weather Network page
            with no issues. I assume this would work for other similar singular
            sites.




            There's also this which could be done with Apache.






            share|improve this answer




















            • Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
              – jola
              2 hours ago










            • Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
              – Tim
              2 hours ago










            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "2"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f937253%2fhttps-doesnt-work-with-safari%23new-answer', 'question_page');

            );

            Post as a guest






























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            3
            down vote













            curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:




            http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]




            It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:




            An endpoint MUST NOT
            generate an HTTP/2 message containing connection-specific header
            fields; any message containing connection-specific header fields MUST
            be treated as malformed
            (Section 8.1.2.6).... connection-
            specific header fields, such as Keep-Alive, Proxy-Connection,
            Transfer-Encoding, and Upgrade




            It looks for me a bug since Apache should not send this header with HTTP/2.



            My guess is that you have a configuration like this



            Protocols h2 h2c http/1.1


            Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with



            Protocols h2 http/1.1


            This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.






            share|improve this answer


























              up vote
              3
              down vote













              curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:




              http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]




              It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:




              An endpoint MUST NOT
              generate an HTTP/2 message containing connection-specific header
              fields; any message containing connection-specific header fields MUST
              be treated as malformed
              (Section 8.1.2.6).... connection-
              specific header fields, such as Keep-Alive, Proxy-Connection,
              Transfer-Encoding, and Upgrade




              It looks for me a bug since Apache should not send this header with HTTP/2.



              My guess is that you have a configuration like this



              Protocols h2 h2c http/1.1


              Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with



              Protocols h2 http/1.1


              This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.






              share|improve this answer
























                up vote
                3
                down vote










                up vote
                3
                down vote









                curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:




                http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]




                It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:




                An endpoint MUST NOT
                generate an HTTP/2 message containing connection-specific header
                fields; any message containing connection-specific header fields MUST
                be treated as malformed
                (Section 8.1.2.6).... connection-
                specific header fields, such as Keep-Alive, Proxy-Connection,
                Transfer-Encoding, and Upgrade




                It looks for me a bug since Apache should not send this header with HTTP/2.



                My guess is that you have a configuration like this



                Protocols h2 h2c http/1.1


                Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with



                Protocols h2 http/1.1


                This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.






                share|improve this answer














                curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:




                http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]




                It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:




                An endpoint MUST NOT
                generate an HTTP/2 message containing connection-specific header
                fields; any message containing connection-specific header fields MUST
                be treated as malformed
                (Section 8.1.2.6).... connection-
                specific header fields, such as Keep-Alive, Proxy-Connection,
                Transfer-Encoding, and Upgrade




                It looks for me a bug since Apache should not send this header with HTTP/2.



                My guess is that you have a configuration like this



                Protocols h2 h2c http/1.1


                Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with



                Protocols h2 http/1.1


                This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 1 hour ago

























                answered 2 hours ago









                Steffen Ullrich

                7,5631424




                7,5631424






















                    up vote
                    1
                    down vote













                    I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.



                    Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.



                    I found this possible solution to the problem.




                    The solution was to go into Safari Preferences, under Privacy and list
                    all Details. This provided a log of all sites where cookies, etc had
                    been used. I found the Weather Network domain page and cleared all
                    content from it. I was then able to reload the Weather Network page
                    with no issues. I assume this would work for other similar singular
                    sites.




                    There's also this which could be done with Apache.






                    share|improve this answer




















                    • Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
                      – jola
                      2 hours ago










                    • Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
                      – Tim
                      2 hours ago














                    up vote
                    1
                    down vote













                    I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.



                    Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.



                    I found this possible solution to the problem.




                    The solution was to go into Safari Preferences, under Privacy and list
                    all Details. This provided a log of all sites where cookies, etc had
                    been used. I found the Weather Network domain page and cleared all
                    content from it. I was then able to reload the Weather Network page
                    with no issues. I assume this would work for other similar singular
                    sites.




                    There's also this which could be done with Apache.






                    share|improve this answer




















                    • Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
                      – jola
                      2 hours ago










                    • Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
                      – Tim
                      2 hours ago












                    up vote
                    1
                    down vote










                    up vote
                    1
                    down vote









                    I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.



                    Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.



                    I found this possible solution to the problem.




                    The solution was to go into Safari Preferences, under Privacy and list
                    all Details. This provided a log of all sites where cookies, etc had
                    been used. I found the Weather Network domain page and cleared all
                    content from it. I was then able to reload the Weather Network page
                    with no issues. I assume this would work for other similar singular
                    sites.




                    There's also this which could be done with Apache.






                    share|improve this answer












                    I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.



                    Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.



                    I found this possible solution to the problem.




                    The solution was to go into Safari Preferences, under Privacy and list
                    all Details. This provided a log of all sites where cookies, etc had
                    been used. I found the Weather Network domain page and cleared all
                    content from it. I was then able to reload the Weather Network page
                    with no issues. I assume this would work for other similar singular
                    sites.




                    There's also this which could be done with Apache.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered 3 hours ago









                    Tim

                    16.2k31845




                    16.2k31845











                    • Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
                      – jola
                      2 hours ago










                    • Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
                      – Tim
                      2 hours ago
















                    • Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
                      – jola
                      2 hours ago










                    • Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
                      – Tim
                      2 hours ago















                    Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
                    – jola
                    2 hours ago




                    Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
                    – jola
                    2 hours ago












                    Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
                    – Tim
                    2 hours ago




                    Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
                    – Tim
                    2 hours ago

















                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f937253%2fhttps-doesnt-work-with-safari%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Comments

                    Popular posts from this blog

                    What does second last employer means? [closed]

                    Installing NextGIS Connect into QGIS 3?

                    One-line joke