21 Mar 2011

Safari providing an SSL error “client certificate rejected” when other browsers work 

By - Apache, Quick Tip 6 Comments

If you’re receiving an error message such as:

Safari can’t open the page “https://example.com”. The error was: “client certificate rejected” (NSURLErrorDomain:-1205) Please choose Report Bug to Apple from the Safari menu, note the error number, and describe what you did before you saw this message.

It’s likely because the web server you are connecting to has Apache configured for “SSLVerifyClient optional”. It appears that with Safari 5 (or perhaps even earlier) the browser will negotiate client certificates improperly with the web server. While other browsers like Google Chrome and Firefox will not have an issue, Safari is rendered incapable of connecting to these sites without a server-side change.

Once you alter the Apache configuration to ‘none’ rather than ‘optional’, the browser will once again be able to connect as expected.

If anyone has experienced this issue or knows of a work-around for the Safari side of the equation, please comment!

6 Responses to “Safari providing an SSL error “client certificate rejected” when other browsers work”

  1. Chris Sanburn says:

    Confirmed this fix works for my apache server. It was a problem with Safari v4 as well, not just v5 and above.

    I got a slightly different error message, however:

    no certificate available
    no certificates meet the application

    Then given an Ok and Cancel option but pressing either one of them still results in you not getting to an https page.

    Thanks for the post!

  2. Bart says:

    We have the same issue; Safari reports “No certificate available No certificates meet the application..” when using SSL (https:// connection). Other browsers (IE, FF) have no issue.

    However our application server is running under Windows, so no Apache, but IIS (7)..

    Does anyone know a fix for this situation?

  3. wilby says:

    How do you alter the apache configuration?

  4. Jon says:

    Same issue here. Our servers are running Apache with a valid SSL certificate installed and all the other browsers I load it in work fine, except Safari. I run Safari in Windows to test sites. A business associate of mine is running it n Mac and he tells me the site loads fine. Another person running it on Mac said they got some other error message about Certificate (not sure what) but was able to get to the site. It seems to be a bug in Safari, perhaps? We set SSLVerifyClient to none and it is still happening.

  5. Per says:

    We found that setting “SSLCiphersuite ALL” made safari able to negotiate a client certificate authentication.

  6. Olav says:

    The problem persists in Safari 6.
    I can confirm that this definitely is a problem that applies to Safari which is incapable of handling optional certificates regardless of the server’s os, as long as the server acts according to RFC 2246 and relevant superseding RFCs.
    However it can be circumvented by using a browser that does not have this bug (like Firefox and Chrome) or by installing a certificate that the server will accept. It WILL fail without the optional certificate as per Safari Version 6.0.2.

Leave a Reply