Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#499 closed defect (invalid)

WebSocket will not connect from iOS Safari if ssl_verify_client is set to "optional"

Reported by: Greg Smethells Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.4.x
Keywords: Cc:
uname -a: Linux gsmethells 2.6.32-279.el6.x86_64 #1 SMP Thu Jun 21 07:08:44 CDT 2012 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.4.1
built by gcc 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC)
TLS SNI support enabled
configure arguments: --with-debug --with-http_ssl_module

Description

The latest iOS Safari fails to connect a WebSocket if ssl_verify_client is set to "optional". No attempt is made to provided a client cert from the client; however, given that the client cert is "optional", it should still connect, to my understanding.

Change History (4)

comment:1 by Greg Smethells, 10 years ago

Our constraints are also that setting up client certificates on an iPad is too large and painful of a problem for our users to perform en-mass during deployment of our web app. In fact, using a web app is supposed to improve the ease of deployment, hence a client cert will never be assumed in the design for those designing web apps with thousands of users in many geographic locations.

comment:2 by Greg Smethells, 10 years ago

Instead a client cert will only be used when servers interact with other servers in the distributed system via RPC on the same port used by the web app itself. This port co-use allows fewer firewall and infrastructure changes thus smoothing the adoption of the web app.

comment:3 by Maxim Dounin, 10 years ago

Resolution: invalid
Status: newclosed

This doesn't looks like nginx problem, try reporting it to Apple instead. There are chances that #472 is related, try looking if a workaround suggested works for you.

comment:4 by Greg Smethells, 10 years ago

Submitted to Apple as ticket 16001290.

Note: See TracTickets for help on using tickets.