Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#499 closed defect (invalid)

WebSocket will not connect from iOS Safari if ssl_verify_client is set to "optional"

Reported by: www.google.com/accounts/o8/id?id=AItOawnaw8KyNmCRbTRGYwbwkvurIZkkB1tVtzE Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.4.x
Keywords: Cc:
uname -a: Linux gsmethells 2.6.32-279.el6.x86_64 #1 SMP Thu Jun 21 07:08:44 CDT 2012 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.4.1 built by gcc 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC) TLS SNI support enabled configure arguments: --with-debug --with-http_ssl_module

Description

The latest iOS Safari fails to connect a WebSocket? if ssl_verify_client is set to "optional". No attempt is made to provided a client cert from the client; however, given that the client cert is "optional", it should still connect, to my understanding.

Change History (4)

comment:1 Changed 6 years ago by www.google.com/accounts/o8/id?id=AItOawnaw8KyNmCRbTRGYwbwkvurIZkkB1tVtzE

Our constraints are also that setting up client certificates on an iPad is too large and painful of a problem for our users to perform en-mass during deployment of our web app. In fact, using a web app is supposed to improve the ease of deployment, hence a client cert will never be assumed in the design for those designing web apps with thousands of users in many geographic locations.

comment:2 Changed 6 years ago by www.google.com/accounts/o8/id?id=AItOawnaw8KyNmCRbTRGYwbwkvurIZkkB1tVtzE

Instead a client cert will only be used when servers interact with other servers in the distributed system via RPC on the same port used by the web app itself. This port co-use allows fewer firewall and infrastructure changes thus smoothing the adoption of the web app.

comment:3 Changed 6 years ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

This doesn't looks like nginx problem, try reporting it to Apple instead. There are chances that #472 is related, try looking if a workaround suggested works for you.

comment:4 Changed 6 years ago by www.google.com/accounts/o8/id?id=AItOawnaw8KyNmCRbTRGYwbwkvurIZkkB1tVtzE

Submitted to Apple as ticket 16001290.

Note: See TracTickets for help on using tickets.