Websockets are broken when used with client-side SSL certificates
| Originator: | darconeous | ||
| Number: | rdar://25067682 | Date Originated: | March 9 2016 |
| Status: | Open | Resolved: | |
| Product: | Safari | Product Version: | 9.0.3 |
| Classification: | Bug | Reproducible: | Yes |
Summary: When a client-side SSL certificate is used with a web page which uses Websockets, the client-side SSL certificate is not used on the HTTPS connection that establishes the websocket---which the server then rejects because there is no client certificate to verify. This effectively prevents websites which use client-side SSL certificates from being able to use websockets. This is particularly debilitating for web applications which are accessible behind reverse proxy servers which require client-side certificates to allow access to intranet web resources without VPN. Steps to Reproduce: 1. Set up a web server with a web application that uses websockets. 2. Either configure that web server to require client-side SSL certificates or set up a reverse proxy which requires client-side SSL certificates and supports websockets. 3. Provision an OS X machine with a client-side SSL certificate that is valid for the previous configuration. 4. Connect to the web page in Safari using that client-side SSL certificate. (If done correctly, you will see a popup dialog for choosing the appropriate certificate when you visit the web page) Expected Results: I would expect the web application to load properly and be entirely usable. Actual Results: The web application at first appears to load, but behind the scenes the attempt to open the web socket has failed. The page either displays an error or appears curiously empty and unresponsive. Opening the javascript console shows the error. Version: Safari 9.0.3, running on OS X 10.11.3 Notes: Chrome (tested on build 48.0.2564.116) does not have this problem because it properly uses the client certificate when establishing the websocket connection. Configuration: Safari: Version: 9.0.3 Obtained from: Apple Last Modified: 6/22/15, 1:25 PM Kind: Intel 64-Bit (Intel): Yes Signed by: Software Signing, Apple Code Signing Certification Authority, Apple Root CA Location: /Applications/Safari.app Get Info String: 9.0.3, Copyright © 2003-2015 Apple Inc. System Software Overview: System Version: OS X 10.11.3 (15D21) Kernel Version: Darwin 15.3.0 Boot Volume: Macintosh HD Boot Mode: Normal Computer Name: rquattle-macpro User Name: Robert Quattlebaum (rquattle) Secure Virtual Memory: Enabled System Integrity Protection: Enabled Time since boot: 5 days 19:29
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!