HTTPS doesn't work with Safari

ssl https safari
14,899

Solution 1

curl (if compiled with HTTP/2 support) exhibits the same problem but shows the reason:

http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]

It looks like your server is offering an upgrade to HTTP/2 even though the connection is already done with HTTP/2 - which makes no sense. Not only that, it is explicitly forbidden. From RFC 7540 section 8.1.2.2:

An endpoint MUST NOT generate an HTTP/2 message containing connection-specific header fields; any message containing connection-specific header fields MUST be treated as malformed (Section 8.1.2.6).... connection- specific header fields, such as Keep-Alive, Proxy-Connection, Transfer-Encoding, and Upgrade

It looks for me a bug since Apache should not send this header with HTTP/2.

My guess is that you have a configuration like this

Protocols h2 h2c http/1.1

Given that browsers do not support HTTP/2 without TLS anyway and that no Upgrade header is needed with HTTP/2 over TLS I recommend that you replace this configuration with

Protocols h2 http/1.1

This disables support for the unneeded HTTP/2 without TLS but should hopefully get rid of the Upgrade header this way since this is only needed for upgrading from plain HTTP to plain HTTP/2.

EDIT: according to the comment by the OP changing the Protocols configuration did not help. It was necessary to explicitly work around this behavior (i.e. bug) of mod_http2 by deleting the Upgrade header:

Header unset Upgrade

Solution 2

I think this is a Safari issue rather than an AWS / SSL issue. The search for that error gets many, many results on Google.

Everything checks out with the website according to the SSL Shopper test and SSL Labs Test.

I found this possible solution to the problem.

The solution was to go into Safari Preferences, under Privacy and list all Details. This provided a log of all sites where cookies, etc had been used. I found the Weather Network domain page and cleared all content from it. I was then able to reload the Weather Network page with no issues. I assume this would work for other similar singular sites.

There's also this which could be done with Apache.

Share:
14,899
jola
Author by

jola

Updated on September 18, 2022

Comments

  • jola
    jola over 1 year

    I have an EC2 instance with Apache as webserver (and Wildfly as app-server, although I'm not sure it has anything to do with this issue). In front of EC2 I have a load balancer which terminates HTTPS and applies the SSL cert.

    Both HTTP and HTTPS works fine in Chrome, but unfortunately not in Safari. Accessing http://test.papereed.com works fine, but accessing https://test.papereed.com gives the error

    "Safari can't open the page. The error is "The operation couldn't be completed. Protocol error" (NSPOSIXErrorDomain:100)"

    I've looked in /etc/httpd/logs/error_log and /etc/httpd/logs/access_log and also in the Safari console without finding any hint to solving the problem. And that's about how far my knowledge goes :-( Any hints how to trace this issue would be much appreciated.

  • jola
    jola over 5 years
    Yes, I have googled this but not found anything that directly applies (afaiu). I've read the proposed solution for nginx but I'm not sure how/if this is applicable for apache.
  • Tim
    Tim over 5 years
    Apache will no doubt be able to delete the "Upgrade" header, which is all Nginx is doing.
  • jola
    jola over 5 years
    Thank you! I indeed had the following config: # Enable HTTP/2 by default # https://httpd.apache.org/docs/2.4/mod/core.html#protocols <IfModule mod_http2.c> Protocols h2 h2c http/1.1 </IfModule> Following your recommendation and changing to Protocols h2 http/1.1 did not remove the upgrade header, so instead I kept the Protocols line as is and added the following: Header unset Upgrade to remove the header. Can't say I'm 100% on top of what/why happens here but now it works fine in Safari too :-)
  • Admin
    Admin over 3 years
    Thanks. Helped me out with my configuration Nginx and Apache. Without proxy_hide_header Upgrade; i could access https://my.example.com/gallery/ with Chrome but not with Safari and not with curl. curl -4 --http2 -I -v https://my.example.com/gallery/ reported * http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c] * HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1) but after setting proxy_hide_header it is working.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to test https rest webservice in postman
iPhone: install certificate for SSL connection
iOS HTTPS requests 101
Comodo SSL: ERR_CERT_AUTHORITY_INVALID on Chrome mobile and Opera mobile (Android)
how SSL & cookies work?
Getting a certificate from an https site
OS X 10.11.6 El Capitan SSLRead() return error -9841
Flutter https with self signed certificate
Magento - onePage checkout and SSL (HTTPS)
HTTP Error 500.19 - Internal Server Error The requested page cannot (WCF + REST + IIS7 + SSL)