Safari(OS X 和 iOS)的 SSL 握手错误,在所有其他浏览器中均有效

Safari(OS X 和 iOS)的 SSL 握手错误,在所有其他浏览器中均有效

我跑https://symmetricstrength.com,我在 OS X 和 iOS 上使用 Safari 时都遇到了问题。如果我尝试使用 Safari 连接到该网站,我会收到“无法与服务器建立安全连接”的消息。

如果我检查 OS X 上的系统日志,我得到的只是消息“CFNetwork SSLHandshake 失败 (-9800)”。

这里一切看起来都很好:

https://www.sslshopper.com/ssl-checker.html#hostname=symmetricstrength.com

...并且它在 SSL Labs 测试中获得了“A”评级。

如果我运行:

openssl s_client -connect symmetricstrength.com:443

一切看起来都很好:

CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify return:1
depth=0 OU = GT01222950, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = symmetricstrength.com
verify return:1
---
Certificate chain
 0 s:/OU=GT01222950/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=symmetricstrength.com
   i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIErTCCA5WgAwIBAgIDBb3zMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNTA3MTYxOTI5MzZaFw0xNjA3MTcyMjU2NTlaMIGZMRMw
EQYDVQQLEwpHVDAxMjIyOTUwMTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEeMBwGA1UEAxMVc3ltbWV0cmljc3RyZW5n
dGguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw+pX5uEoWR3/
xE9ZXyQMt3UtSzC4wfg7sVMBToJZYxgMtmN4rI1DvxrpsbWhCbF7sreV9DjJ8UHq
VjCbMci+Gtce7PdOjmJNxOhPC2egi7B0uV9LKkr4Lv243ecK7Z2l2bYjn9Ex9s6+
a/dX8UjU1xp2ZQJL2se+bcGbZ9G0sp3cx9XHtPZGr7i6KCjBf1YjaQNBaW/X6Kxp
/+4A01JkL/1KMCMmlRaQMgrNPMz4eNdGq/iVw/1tXZqpwUGTVqUwU5Kibc6+Vxgc
r7EFLrQoHdC37Y4ytYk1iVJ7OIaT+D+xFwNIKYnhQCBgHnbT+VCF6r0sl2xCetas
H2U8wdQ7XwIDAQABo4IBTTCCAUkwHwYDVR0jBBgwFoAUw5zz/NNGCDS7zkZ/oHxb
8+IIy1kwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vZ3Yuc3lt
Y2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNydDAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCAG
A1UdEQQZMBeCFXN5bW1ldHJpY3N0cmVuZ3RoLmNvbTArBgNVHR8EJDAiMCCgHqAc
hhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNybDAMBgNVHRMBAf8EAjAAMEEGA1Ud
IAQ6MDgwNgYGZ4EMAQIBMCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnJhcGlk
c3NsLmNvbS9sZWdhbDANBgkqhkiG9w0BAQsFAAOCAQEAQgzv7L5TMTC9yFHx9cdk
/Oo3aD6iEF+oTsdWHU4HjYheP5oZLYr3ThVzJf3ecz8GICeyE7ERe0aRjF4lGjSw
ZQk3FI99bBiBm/+fMt5Qq2inWiYb1tqVdsvfhhe9SChsbglZQ7xMLpp86DxIwVrU
yBTyeMH1A/eXlUSCqEaK2C2YWHpkI2X2CgCK4RvC+DWh2dH6zrz5seWmuS5wy0xO
OC12OlnDjDnbY1eV+GdGC3jHJpsAjTW4RW9bCqxX48DQ+tZd7QSA9JU6FW3xwfdK
TdCLULuG8DSiuqDrUIH41Va7doJvaPiwcnZ10X+eoUYGSeNYQS16t0+7wEJbhg1+
9A==
-----END CERTIFICATE-----
subject=/OU=GT01222950/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=symmetricstrength.com
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2763 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: D5E0FC9750A76E610A86E36BD9FD44B0AE45C7DAC7450DCAA877A4FDBD55415C
    Session-ID-ctx: 
    Master-Key: 2B428D6C3DC193B80E9E3D52E1E6000107814792ECEE672E3A88A8EE52E7827B006413B34D9B09639B98EBBB24885DB8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1441806161
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed

Safari 不仅无法连接我的电脑和 iPad,而且无法连接其他几个用户(包括我在 Browsershots 等网站上测试的情况)。我测试过的 Chrome、IE、Firefox、Opera 和其他一些浏览器都运行正常。

该网站在 Warp Web 服务器上运行,并使用最新版本的 Keter (1.4.3.1) 进行部署。我认为问题可能是在我升级到最新版本的 Warp/Keter 时开始的,这可能更改了一些 SSL 设置。在更新之前,我的网站由于支持不安全的重新协商而未通过 SSL 实验室测试,但更新后它顺利通过了。

有任何想法吗?

答案1

发现问题:https://github.com/yesodweb/wai/issues/429

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 似乎不适用于 Safari。根据上述问题,Warp 的补丁将于明天发布,所以我会耐心等待。

相关内容