OFBiz
  1. OFBiz
  2. OFBIZ-1116

Problem making SSL connection to admin apps with Safari

    Details

    • Type: Bug Bug
    • Status: Reopened
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: Trunk
    • Fix Version/s: None
    • Component/s: framework
    • Labels:
      None

      Description

      I can't seem to connect to any admin apps via SSL. The error message from Safari is:

      Safari can't open the page "https://localhost:8443/webtools/control/main" because it couldn't establish a secure connection to the server "localhost".

        Activity

        Hide
        David E. Jones added a comment -

        I noticed this too recently. What I'm not sure of is if it started happening around the time that Safari 3 came out. I'm running version 3.0.2 (522.12). I think this version of Safari may be in beta still, so my solution is to use Firefox instead.

        Which version are you using Joe?

        Also, is anyone else seeing or not seeing this problem and which version of Safari and OFBiz are you using?

        Show
        David E. Jones added a comment - I noticed this too recently. What I'm not sure of is if it started happening around the time that Safari 3 came out. I'm running version 3.0.2 (522.12). I think this version of Safari may be in beta still, so my solution is to use Firefox instead. Which version are you using Joe? Also, is anyone else seeing or not seeing this problem and which version of Safari and OFBiz are you using?
        Hide
        Jacques Le Roux added a comment -

        I read this in Opentaps forum :

        <<I bet you are using Safari 3 beta... It has this behavior with most websites that involve https connections and certificates. >>

        https://sourceforge.net/forum/message.php?msg_id=4390535

        Show
        Jacques Le Roux added a comment - I read this in Opentaps forum : <<I bet you are using Safari 3 beta... It has this behavior with most websites that involve https connections and certificates. >> https://sourceforge.net/forum/message.php?msg_id=4390535
        Hide
        Joe Eckard added a comment -

        I noticed this some time ago also, I was just hoping it would get fixed.

        I'm not using the 3.0 beta, from Safari:About, I'm using Version 2.0.4 (419.3).

        Show
        Joe Eckard added a comment - I noticed this some time ago also, I was just hoping it would get fixed. I'm not using the 3.0 beta, from Safari:About, I'm using Version 2.0.4 (419.3).
        Hide
        Jacques Le Roux added a comment -

        Put Major as using Firefox (or any other browser) is a workaround for this problem.

        Show
        Jacques Le Roux added a comment - Put Major as using Firefox (or any other browser) is a workaround for this problem.
        Hide
        Joe Eckard added a comment -

        For what its worth, this has something to do with SSL client authentication - if you disable it completely (change clientAuth to "false" instead of "want" in the catalina https connector config) then Safari will connect with no problems.

        Show
        Joe Eckard added a comment - For what its worth, this has something to do with SSL client authentication - if you disable it completely (change clientAuth to "false" instead of "want" in the catalina https connector config) then Safari will connect with no problems.
        Hide
        Marco Risaliti added a comment -

        Also I have tried to change clientAuth to "false" instead of "want" in the catalina https connector config and now Safari will connect with no problems.
        So why Joe don't we close this issue or put it as a minor bug not to a major bug.

        Thanks
        Marco

        Show
        Marco Risaliti added a comment - Also I have tried to change clientAuth to "false" instead of "want" in the catalina https connector config and now Safari will connect with no problems. So why Joe don't we close this issue or put it as a minor bug not to a major bug. Thanks Marco
        Hide
        Marco Risaliti added a comment -

        So this is not a bug of OFBiz but probably if clientAuth is set to want the browser checks that the site into the certificate is the same of the running site.
        In any case you can set clientAuth to false and this issue will be not more present into Safari.

        Thanks
        Marco

        Show
        Marco Risaliti added a comment - So this is not a bug of OFBiz but probably if clientAuth is set to want the browser checks that the site into the certificate is the same of the running site. In any case you can set clientAuth to false and this issue will be not more present into Safari. Thanks Marco
        Hide
        Joe Eckard added a comment -

        Technically no, it is not an OFBiz bug, but having a default configuration that is broken in current versions of Safari seems like bad form to me. I would rather see client auth disabled by default or at least there should be a warning in the readme / setup doc / config file.

        Show
        Joe Eckard added a comment - Technically no, it is not an OFBiz bug, but having a default configuration that is broken in current versions of Safari seems like bad form to me. I would rather see client auth disabled by default or at least there should be a warning in the readme / setup doc / config file.
        Hide
        Marco Risaliti added a comment -

        Hi David,

        here I need your help when you have at disposal a minute.
        For me this is a configuration bug in case clientAuth in ofbiz-containers.xml is set to "want" OFBiz doesn't work with Safari.
        So probably it's a default value set for go directly in production where a SSL certificate is installed on the server and probably it's correctly to set it to "want".
        In a test environment probably it has to be set to "false" and a warning has to be inserted into production guide to set it to "want".

        What did you think of it ?

        Thanks a lot
        Marco

        Show
        Marco Risaliti added a comment - Hi David, here I need your help when you have at disposal a minute. For me this is a configuration bug in case clientAuth in ofbiz-containers.xml is set to "want" OFBiz doesn't work with Safari. So probably it's a default value set for go directly in production where a SSL certificate is installed on the server and probably it's correctly to set it to "want". In a test environment probably it has to be set to "false" and a warning has to be inserted into production guide to set it to "want". What did you think of it ? Thanks a lot Marco
        Hide
        David E. Jones added a comment -

        I have changed the default in SVN rev 605129, but am also reopening this issue because my guess is that this is fixable. It may come in a future Tomcat update, or someone may have to get down into things and research what is going on and if there is anything we can do in OFBiz to fix it.

        With this setting Safary will work, but to get Safari to work AND support client certificates a separate Tomcat connector will have to be setup for the client cert listener (on a different port or something...) so that they don't conflict.

        Show
        David E. Jones added a comment - I have changed the default in SVN rev 605129, but am also reopening this issue because my guess is that this is fixable. It may come in a future Tomcat update, or someone may have to get down into things and research what is going on and if there is anything we can do in OFBiz to fix it. With this setting Safary will work, but to get Safari to work AND support client certificates a separate Tomcat connector will have to be setup for the client cert listener (on a different port or something...) so that they don't conflict.
        Hide
        Marco Risaliti added a comment -

        Thanks a lot David for your promptly reply.
        Also I will test it with Safari (as soon as I can) and I will let you know.

        Marco

        Show
        Marco Risaliti added a comment - Thanks a lot David for your promptly reply. Also I will test it with Safari (as soon as I can) and I will let you know. Marco
        Hide
        Marco Risaliti added a comment -

        Hi David,

        I have done some searching on google about this problem with Safari and probably I have found the real answer from Apple:

        http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2046.html

        http://forums.macrumors.com/showthread.php?t=280529

        I did not yet test it and I didn't know if it's really solve the problem on Safari.

        Marco

        Show
        Marco Risaliti added a comment - Hi David, I have done some searching on google about this problem with Safari and probably I have found the real answer from Apple: http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh2046.html http://forums.macrumors.com/showthread.php?t=280529 I did not yet test it and I didn't know if it's really solve the problem on Safari. Marco
        Hide
        Joe Eckard added a comment -

        I just tried adding framework/base/cert/demoCA/cacert.pem to my X509Anchors keychain, but I get the same error. (Safari can't open the page "https://localhost:8443/webtools/control/scheduleJob" because it couldn't establish a secure connection to the server "localhost".)

        Show
        Joe Eckard added a comment - I just tried adding framework/base/cert/demoCA/cacert.pem to my X509Anchors keychain, but I get the same error. (Safari can't open the page "https://localhost:8443/webtools/control/scheduleJob" because it couldn't establish a secure connection to the server "localhost".)
        Hide
        Marco Risaliti added a comment -

        I have tested again with the last version of Safari 3.1.2 and the issue is no more present.

        Thanks
        Marco

        Show
        Marco Risaliti added a comment - I have tested again with the last version of Safari 3.1.2 and the issue is no more present. Thanks Marco
        Hide
        Joe Eckard added a comment -

        The actual issue has not been resolved, we just changed the default value to "false" so that the default config doesn't cause problems with Safari. If you change it back to "want" again, you'll see the error is still there. David's comment suggests he reopened the issue so that when a future Apple or Tomcat fix becomes available, we can resolve the issue and then close it.

        Show
        Joe Eckard added a comment - The actual issue has not been resolved, we just changed the default value to "false" so that the default config doesn't cause problems with Safari. If you change it back to "want" again, you'll see the error is still there. David's comment suggests he reopened the issue so that when a future Apple or Tomcat fix becomes available, we can resolve the issue and then close it.
        Hide
        Jacques Le Roux added a comment -

        Per Joe's suggestion

        Show
        Jacques Le Roux added a comment - Per Joe's suggestion
        Hide
        Jacques Le Roux added a comment -

        Hi,

        Has Apple or Tomcat fixed this ?

        Show
        Jacques Le Roux added a comment - Hi, Has Apple or Tomcat fixed this ?
        Hide
        Jacques Le Roux added a comment -

        Should we close, has it been fixed in Apple or Tomcat?

        Show
        Jacques Le Roux added a comment - Should we close, has it been fixed in Apple or Tomcat?
        Hide
        Marco Risaliti added a comment -

        With Safari 5.0.5 and Mac Os X.6.7 this issue is no more present so I will close this issue.

        Show
        Marco Risaliti added a comment - With Safari 5.0.5 and Mac Os X.6.7 this issue is no more present so I will close this issue.
        Hide
        Jacques Le Roux added a comment -

        HI Marco,

        Did you try with "want" as Joe commented?

        Show
        Jacques Le Roux added a comment - HI Marco, Did you try with "want" as Joe commented?
        Hide
        Joe Eckard added a comment -

        Please see the comment I left on 02/Nov/08, it is still valid - i.e. the issue is still there.

        It has been so long I am sure there is a fix or workaround, but I haven't fully investigated it.

        Show
        Joe Eckard added a comment - Please see the comment I left on 02/Nov/08, it is still valid - i.e. the issue is still there. It has been so long I am sure there is a fix or workaround, but I haven't fully investigated it.
        Hide
        Marco Risaliti added a comment -

        Sorry too fast to close it, I have reopened it.
        I have tested on Safari 5 and Firefox 4 with Tomcat 6.34 and clientAuth to want and the problem still existing.

        Show
        Marco Risaliti added a comment - Sorry too fast to close it, I have reopened it. I have tested on Safari 5 and Firefox 4 with Tomcat 6.34 and clientAuth to want and the problem still existing.

          People

          • Assignee:
            Unassigned
            Reporter:
            Joe Eckard
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:

              Development