HTTPS doesn't work with Safari

Clash Royale CLAN TAG#URR8PPP

up vote
2
down vote

favorite

1

I have an EC2 instance with Apache as webserver (and Wildfly as app-server, although I'm not sure it has anything to do with this issue). In front of EC2 I have a load balancer which terminates HTTPS and applies the SSL cert.

Both HTTP and HTTPS works fine in Chrome, but unfortunately not in Safari. Accessing http://test.papereed.com works fine, but accessing https://test.papereed.com gives the error

"Safari can't open the page. The error is "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)"

I've looked in /etc/httpd/logs/error_log and /etc/httpd/logs/access_log and also in the Safari console without finding any hint to solving the problem. And that's about how far my knowledge goes :-( Any hints how to trace this issue would be much appreciated.

ssl https safari

share|improve this question

edited 3 hours ago

Tim

16.2k31845

asked 3 hours ago

jola

5316

add a comment | 

up vote
2
down vote

favorite

1

I have an EC2 instance with Apache as webserver (and Wildfly as app-server, although I'm not sure it has anything to do with this issue). In front of EC2 I have a load balancer which terminates HTTPS and applies the SSL cert.

Both HTTP and HTTPS works fine in Chrome, but unfortunately not in Safari. Accessing http://test.papereed.com works fine, but accessing https://test.papereed.com gives the error

"Safari can't open the page. The error is "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)"

I've looked in /etc/httpd/logs/error_log and /etc/httpd/logs/access_log and also in the Safari console without finding any hint to solving the problem. And that's about how far my knowledge goes :-( Any hints how to trace this issue would be much appreciated.

ssl https safari

share|improve this question

edited 3 hours ago

Tim

16.2k31845

asked 3 hours ago

jola

5316

add a comment | 

up vote
2
down vote

favorite

1

up vote
2
down vote

favorite

1

1

I have an EC2 instance with Apache as webserver (and Wildfly as app-server, although I'm not sure it has anything to do with this issue). In front of EC2 I have a load balancer which terminates HTTPS and applies the SSL cert.

Both HTTP and HTTPS works fine in Chrome, but unfortunately not in Safari. Accessing http://test.papereed.com works fine, but accessing https://test.papereed.com gives the error

"Safari can't open the page. The error is "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)"

I've looked in /etc/httpd/logs/error_log and /etc/httpd/logs/access_log and also in the Safari console without finding any hint to solving the problem. And that's about how far my knowledge goes :-( Any hints how to trace this issue would be much appreciated.

ssl https safari

share|improve this question

edited 3 hours ago

Tim

16.2k31845

asked 3 hours ago

jola

5316

I have an EC2 instance with Apache as webserver (and Wildfly as app-server, although I'm not sure it has anything to do with this issue). In front of EC2 I have a load balancer which terminates HTTPS and applies the SSL cert.

Both HTTP and HTTPS works fine in Chrome, but unfortunately not in Safari. Accessing http://test.papereed.com works fine, but accessing https://test.papereed.com gives the error

"Safari can't open the page. The error is "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)"

I've looked in /etc/httpd/logs/error_log and /etc/httpd/logs/access_log and also in the Safari console without finding any hint to solving the problem. And that's about how far my knowledge goes :-( Any hints how to trace this issue would be much appreciated.

ssl https safari

ssl https safari

share|improve this question

edited 3 hours ago

Tim

16.2k31845

asked 3 hours ago

jola

5316

share|improve this question

edited 3 hours ago

Tim

16.2k31845

asked 3 hours ago

jola

5316

share|improve this question

share|improve this question

edited 3 hours ago

Tim

16.2k31845

edited 3 hours ago

Tim

16.2k31845

edited 3 hours ago

Tim

16.2k31845

16.2k31845

asked 3 hours ago

jola

5316

asked 3 hours ago

jola

5316

asked 3 hours ago

jola

5316

5316

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
3
down vote

curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:

http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]

It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:

An endpoint MUST NOT
generate an HTTP/2 message containing connection-specific header
fields; any message containing connection-specific header fields MUST
be treated as malformed (Section 8.1.2.6).... connection-
specific header fields, such as Keep-Alive, Proxy-Connection,
Transfer-Encoding, and Upgrade

It looks for me a bug since Apache should not send this header with HTTP/2.

My guess is that you have a configuration like this

Protocols h2 h2c http/1.1

Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with

Protocols h2 http/1.1

This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.

share|improve this answer

edited 1 hour ago

answered 2 hours ago

Steffen Ullrich

7,5631424

add a comment | 

up vote
1
down vote

I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.

Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.

I found this possible solution to the problem.

The solution was to go into Safari Preferences, under Privacy and list
all Details. This provided a log of all sites where cookies, etc had
been used. I found the Weather Network domain page and cleared all
content from it. I was then able to reload the Weather Network page
with no issues. I assume this would work for other similar singular
sites.

There's also this which could be done with Apache.

share|improve this answer

answered 3 hours ago

Tim

16.2k31845

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
  – jola
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
  – Tim
  2 hours ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f937253%2fhttps-doesnt-work-with-safari%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
3
down vote

curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:

http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]

It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:

An endpoint MUST NOT
generate an HTTP/2 message containing connection-specific header
fields; any message containing connection-specific header fields MUST
be treated as malformed (Section 8.1.2.6).... connection-
specific header fields, such as Keep-Alive, Proxy-Connection,
Transfer-Encoding, and Upgrade

It looks for me a bug since Apache should not send this header with HTTP/2.

My guess is that you have a configuration like this

Protocols h2 h2c http/1.1

Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with

Protocols h2 http/1.1

This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.

share|improve this answer

edited 1 hour ago

answered 2 hours ago

Steffen Ullrich

7,5631424

add a comment | 

up vote
3
down vote

curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:

http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]

It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:

An endpoint MUST NOT
generate an HTTP/2 message containing connection-specific header
fields; any message containing connection-specific header fields MUST
be treated as malformed (Section 8.1.2.6).... connection-
specific header fields, such as Keep-Alive, Proxy-Connection,
Transfer-Encoding, and Upgrade

It looks for me a bug since Apache should not send this header with HTTP/2.

My guess is that you have a configuration like this

Protocols h2 h2c http/1.1

Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with

Protocols h2 http/1.1

This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.

share|improve this answer

edited 1 hour ago

answered 2 hours ago

Steffen Ullrich

7,5631424

add a comment | 

up vote
3
down vote

up vote
3
down vote

curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:

http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]

It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:

An endpoint MUST NOT
generate an HTTP/2 message containing connection-specific header
fields; any message containing connection-specific header fields MUST
be treated as malformed (Section 8.1.2.6).... connection-
specific header fields, such as Keep-Alive, Proxy-Connection,
Transfer-Encoding, and Upgrade

It looks for me a bug since Apache should not send this header with HTTP/2.

My guess is that you have a configuration like this

Protocols h2 h2c http/1.1

Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with

Protocols h2 http/1.1

This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.

share|improve this answer

edited 1 hour ago

answered 2 hours ago

Steffen Ullrich

7,5631424

curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:

http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]

It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:

An endpoint MUST NOT
generate an HTTP/2 message containing connection-specific header
fields; any message containing connection-specific header fields MUST
be treated as malformed (Section 8.1.2.6).... connection-
specific header fields, such as Keep-Alive, Proxy-Connection,
Transfer-Encoding, and Upgrade

It looks for me a bug since Apache should not send this header with HTTP/2.

My guess is that you have a configuration like this

Protocols h2 h2c http/1.1

Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with

Protocols h2 http/1.1

This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.

share|improve this answer

edited 1 hour ago

answered 2 hours ago

Steffen Ullrich

7,5631424

share|improve this answer

share|improve this answer

edited 1 hour ago

edited 1 hour ago

edited 1 hour ago

answered 2 hours ago

Steffen Ullrich

7,5631424

answered 2 hours ago

Steffen Ullrich

7,5631424

answered 2 hours ago

Steffen Ullrich

7,5631424

7,5631424

add a comment | 

add a comment | 

up vote
1
down vote

I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.

Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.

I found this possible solution to the problem.

The solution was to go into Safari Preferences, under Privacy and list
all Details. This provided a log of all sites where cookies, etc had
been used. I found the Weather Network domain page and cleared all
content from it. I was then able to reload the Weather Network page
with no issues. I assume this would work for other similar singular
sites.

There's also this which could be done with Apache.

share|improve this answer

answered 3 hours ago

Tim

16.2k31845

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
  – jola
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
  – Tim
  2 hours ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.

Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.

I found this possible solution to the problem.

The solution was to go into Safari Preferences, under Privacy and list
all Details. This provided a log of all sites where cookies, etc had
been used. I found the Weather Network domain page and cleared all
content from it. I was then able to reload the Weather Network page
with no issues. I assume this would work for other similar singular
sites.

There's also this which could be done with Apache.

share|improve this answer

answered 3 hours ago

Tim

16.2k31845

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
  – jola
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
  – Tim
  2 hours ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

up vote
1
down vote

I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.

Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.

I found this possible solution to the problem.

The solution was to go into Safari Preferences, under Privacy and list
all Details. This provided a log of all sites where cookies, etc had
been used. I found the Weather Network domain page and cleared all
content from it. I was then able to reload the Weather Network page
with no issues. I assume this would work for other similar singular
sites.

There's also this which could be done with Apache.

share|improve this answer

answered 3 hours ago

Tim

16.2k31845

I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.

Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.

I found this possible solution to the problem.

The solution was to go into Safari Preferences, under Privacy and list
all Details. This provided a log of all sites where cookies, etc had
been used. I found the Weather Network domain page and cleared all
content from it. I was then able to reload the Weather Network page
with no issues. I assume this would work for other similar singular
sites.

There's also this which could be done with Apache.

share|improve this answer

answered 3 hours ago

Tim

16.2k31845

share|improve this answer

share|improve this answer

answered 3 hours ago

Tim

16.2k31845

answered 3 hours ago

Tim

16.2k31845

answered 3 hours ago

Tim

16.2k31845

16.2k31845

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
  – jola
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
  – Tim
  2 hours ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
  – jola
  2 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
  – Tim
  2 hours ago
  

  
  
  
  

Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
– jola
2 hours ago

Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
– jola
2 hours ago

Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
– Tim
2 hours ago

Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
– Tim
2 hours ago

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f937253%2fhttps-doesnt-work-with-safari%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email