HTTPS doesn't work with Safari
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I have an EC2 instance with Apache as webserver (and Wildfly as app-server, although I'm not sure it has anything to do with this issue). In front of EC2 I have a load balancer which terminates HTTPS and applies the SSL cert.
Both HTTP and HTTPS works fine in Chrome, but unfortunately not in Safari. Accessing http://test.papereed.com works fine, but accessing https://test.papereed.com gives the error
"Safari can't open the page. The error is "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)"
I've looked in /etc/httpd/logs/error_log and /etc/httpd/logs/access_log and also in the Safari console without finding any hint to solving the problem. And that's about how far my knowledge goes :-( Any hints how to trace this issue would be much appreciated.
ssl https safari
add a comment |Â
up vote
2
down vote
favorite
I have an EC2 instance with Apache as webserver (and Wildfly as app-server, although I'm not sure it has anything to do with this issue). In front of EC2 I have a load balancer which terminates HTTPS and applies the SSL cert.
Both HTTP and HTTPS works fine in Chrome, but unfortunately not in Safari. Accessing http://test.papereed.com works fine, but accessing https://test.papereed.com gives the error
"Safari can't open the page. The error is "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)"
I've looked in /etc/httpd/logs/error_log and /etc/httpd/logs/access_log and also in the Safari console without finding any hint to solving the problem. And that's about how far my knowledge goes :-( Any hints how to trace this issue would be much appreciated.
ssl https safari
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I have an EC2 instance with Apache as webserver (and Wildfly as app-server, although I'm not sure it has anything to do with this issue). In front of EC2 I have a load balancer which terminates HTTPS and applies the SSL cert.
Both HTTP and HTTPS works fine in Chrome, but unfortunately not in Safari. Accessing http://test.papereed.com works fine, but accessing https://test.papereed.com gives the error
"Safari can't open the page. The error is "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)"
I've looked in /etc/httpd/logs/error_log and /etc/httpd/logs/access_log and also in the Safari console without finding any hint to solving the problem. And that's about how far my knowledge goes :-( Any hints how to trace this issue would be much appreciated.
ssl https safari
I have an EC2 instance with Apache as webserver (and Wildfly as app-server, although I'm not sure it has anything to do with this issue). In front of EC2 I have a load balancer which terminates HTTPS and applies the SSL cert.
Both HTTP and HTTPS works fine in Chrome, but unfortunately not in Safari. Accessing http://test.papereed.com works fine, but accessing https://test.papereed.com gives the error
"Safari can't open the page. The error is "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)"
I've looked in /etc/httpd/logs/error_log and /etc/httpd/logs/access_log and also in the Safari console without finding any hint to solving the problem. And that's about how far my knowledge goes :-( Any hints how to trace this issue would be much appreciated.
ssl https safari
ssl https safari
edited 3 hours ago
Tim
16.2k31845
16.2k31845
asked 3 hours ago
jola
5316
5316
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
3
down vote
curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:
http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]
It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:
An endpoint MUST NOT
generate an HTTP/2 message containing connection-specific header
fields; any message containing connection-specific header fields MUST
be treated as malformed (Section 8.1.2.6).... connection-
specific header fields, such as Keep-Alive, Proxy-Connection,
Transfer-Encoding, and Upgrade
It looks for me a bug since Apache should not send this header with HTTP/2.
My guess is that you have a configuration like this
Protocols h2 h2c http/1.1
Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with
Protocols h2 http/1.1
This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.
add a comment |Â
up vote
1
down vote
I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.
Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.
I found this possible solution to the problem.
The solution was to go into Safari Preferences, under Privacy and list
all Details. This provided a log of all sites where cookies, etc had
been used. I found the Weather Network domain page and cleared all
content from it. I was then able to reload the Weather Network page
with no issues. I assume this would work for other similar singular
sites.
There's also this which could be done with Apache.
Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
â jola
2 hours ago
Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
â Tim
2 hours ago
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:
http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]
It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:
An endpoint MUST NOT
generate an HTTP/2 message containing connection-specific header
fields; any message containing connection-specific header fields MUST
be treated as malformed (Section 8.1.2.6).... connection-
specific header fields, such as Keep-Alive, Proxy-Connection,
Transfer-Encoding, and Upgrade
It looks for me a bug since Apache should not send this header with HTTP/2.
My guess is that you have a configuration like this
Protocols h2 h2c http/1.1
Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with
Protocols h2 http/1.1
This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.
add a comment |Â
up vote
3
down vote
curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:
http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]
It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:
An endpoint MUST NOT
generate an HTTP/2 message containing connection-specific header
fields; any message containing connection-specific header fields MUST
be treated as malformed (Section 8.1.2.6).... connection-
specific header fields, such as Keep-Alive, Proxy-Connection,
Transfer-Encoding, and Upgrade
It looks for me a bug since Apache should not send this header with HTTP/2.
My guess is that you have a configuration like this
Protocols h2 h2c http/1.1
Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with
Protocols h2 http/1.1
This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.
add a comment |Â
up vote
3
down vote
up vote
3
down vote
curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:
http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]
It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:
An endpoint MUST NOT
generate an HTTP/2 message containing connection-specific header
fields; any message containing connection-specific header fields MUST
be treated as malformed (Section 8.1.2.6).... connection-
specific header fields, such as Keep-Alive, Proxy-Connection,
Transfer-Encoding, and Upgrade
It looks for me a bug since Apache should not send this header with HTTP/2.
My guess is that you have a configuration like this
Protocols h2 h2c http/1.1
Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with
Protocols h2 http/1.1
This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.
curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:
http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]
It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:
An endpoint MUST NOT
generate an HTTP/2 message containing connection-specific header
fields; any message containing connection-specific header fields MUST
be treated as malformed (Section 8.1.2.6).... connection-
specific header fields, such as Keep-Alive, Proxy-Connection,
Transfer-Encoding, and Upgrade
It looks for me a bug since Apache should not send this header with HTTP/2.
My guess is that you have a configuration like this
Protocols h2 h2c http/1.1
Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with
Protocols h2 http/1.1
This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.
edited 1 hour ago
answered 2 hours ago
Steffen Ullrich
7,5631424
7,5631424
add a comment |Â
add a comment |Â
up vote
1
down vote
I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.
Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.
I found this possible solution to the problem.
The solution was to go into Safari Preferences, under Privacy and list
all Details. This provided a log of all sites where cookies, etc had
been used. I found the Weather Network domain page and cleared all
content from it. I was then able to reload the Weather Network page
with no issues. I assume this would work for other similar singular
sites.
There's also this which could be done with Apache.
Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
â jola
2 hours ago
Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
â Tim
2 hours ago
add a comment |Â
up vote
1
down vote
I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.
Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.
I found this possible solution to the problem.
The solution was to go into Safari Preferences, under Privacy and list
all Details. This provided a log of all sites where cookies, etc had
been used. I found the Weather Network domain page and cleared all
content from it. I was then able to reload the Weather Network page
with no issues. I assume this would work for other similar singular
sites.
There's also this which could be done with Apache.
Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
â jola
2 hours ago
Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
â Tim
2 hours ago
add a comment |Â
up vote
1
down vote
up vote
1
down vote
I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.
Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.
I found this possible solution to the problem.
The solution was to go into Safari Preferences, under Privacy and list
all Details. This provided a log of all sites where cookies, etc had
been used. I found the Weather Network domain page and cleared all
content from it. I was then able to reload the Weather Network page
with no issues. I assume this would work for other similar singular
sites.
There's also this which could be done with Apache.
I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.
Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.
I found this possible solution to the problem.
The solution was to go into Safari Preferences, under Privacy and list
all Details. This provided a log of all sites where cookies, etc had
been used. I found the Weather Network domain page and cleared all
content from it. I was then able to reload the Weather Network page
with no issues. I assume this would work for other similar singular
sites.
There's also this which could be done with Apache.
answered 3 hours ago
Tim
16.2k31845
16.2k31845
Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
â jola
2 hours ago
Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
â Tim
2 hours ago
add a comment |Â
Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
â jola
2 hours ago
Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
â Tim
2 hours ago
Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
â jola
2 hours ago
Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
â jola
2 hours ago
Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
â Tim
2 hours ago
Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
â Tim
2 hours ago
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f937253%2fhttps-doesnt-work-with-safari%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password