id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 472,ssl_client_verify fails in Safari,Catchall Account,,"nginx version: nginx/1.4.1 (Ubuntu), client: Safari 7.0.1 (9537.73.11) on Mac OSX 10.9.1 build 13B42 When ssl_client_verify is set to ""optional"", access via Safari prompts to use a client cert in the keychain that appears to have been autogenerated. The client cert, of course, is not valid for this SSL transaction (don't know where it chains, or even what it's used for). The three options are ""Always allow"", ""Deny"", and ""Allow"". None of the options result in proper behavior. When either of the ""Allow"" variants is selected, nginx responds with 10.0.1.4 - - [20/Dec/2013:11:43:38 -0800] ""GET / HTTP/1.1"" 400 239 ""-"" ""Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.73.11 (KHTML, like Gecko) Version/7.0.1 Safari/537.73.11"" ""FAILED"" ""/CN=com.apple.idms.appleid.prd.734c3513d3d"" and a 400 ""400 Bad Request / The SSL certificate error [sic]"" is returned to the client. When the ""Deny"" option is selected (three times), the request doesn't appear to be sent by Safari. It returns ""Safari can't open the page https://10.0.1.14 because Safari can't establish a secure connection to the server"". This could be a bug in the way Safari handles client cert requests, but it's impacting client access to nginx, especially since ssl_client_verify is an all-or-nothing proposition right now (you can't enable it per location). Firefox has no issue. ",defect,closed,major,,nginx-module,1.3.x,invalid,"ssl, ssl_client_verify",,Linux myserver 3.11.0-12-generic #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux,"nginx version: nginx/1.4.1 (Ubuntu) TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-mail --with-mail_ssl_module --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-auth-pam --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-dav-ext-module --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-echo --add-module=/build/buildd/nginx-1.4.1/debian/modules/nginx-upstream-fair --add-module=/build/buildd/nginx-1.4.1/debian/modules/ngx_http_substitutions_filter_module "