Apple - Safari can't connect to https

A report on forums.macrumors.com seems to be fairly similar to yours. This happens as well in Safari 5.1 and is very recent.

The solution was to delete:

~/Library/Preferences/com.apple.security.plist

This just reared its ugly head again, this time with Yosemite. It also affected all of the browsers I commonly use (Firefox, Chrome, Chrome Canary).

I tried to follow the advice here, which involved getting information about the root certificate used by the offending website via the web browser: How to fix: Safari can’t open the page because Safari can’t establish a secure connection

I got no love here, since every browser refused to negotiate a connection far enough to get the name of the certificate issuer. I even tried using open_ssl at the command line, but also it failed:

    [foo@bar]$ echo ^d | openssl s_client -connect broken.web.com:443 | tee cert.log
6480:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_lib.c:185:
CONNECTED(00000003)

Finally, I was able to open the website on an old machine with Internet Explorer version 9, and found the name of the certificate authority: Comodo Certification Authority.

The linked article hinted at the right thing to do, but here's what worked for me:

  • Open the Keychain Access app.
  • Select "System Roots" keychain.
  • Search for the issuing certificate authority (in this case, Comodo).
  • View the certificate details (double click, expand the "Trust" area of the view window).
  • In my case, the trust rule was: "When using this certificate, ".
  • I changed it to "Always Trust", closed Keychain Access (after entering my admin password) and the page loaded.
  • Not wanting to leave it in a less secure mode, I used Keychain Access again and switched it back to "Use System Defaults".
  • Problem solved, no relaxation of security parameters.

YMMV but it's less drastic than nuking all your tweaks by eliminating the security preferences, nuking all your Safari data, or even re-installing your whole OS, as suggested by some of the links attempting to address this problem.

Update: I had to restart Chrome / Firefox for them to accept the "updated" / reset certificate preferences.

Another Possible Reason: Corporate Proxy or MITM

Just recently had a spate of these, along with failures of certain apps to connect to their servers via the network.

  • The symptom: Laptop or iPhone fails to secure a connection sometimes. The above method doesn't work.
  • The test: Run the iPhone or laptop using cellular connection or mobile hotspot instead of the suspected WiFi or wired network.
  • The result: If the cellular connection works and the non-cellular doesn't, then suspect a man-in-the-middle (MITM) attack, or a corporate proxy that looks like one.

Tags:

Http

Safari

Ssl

Certificate

Keychain

Recent Posts