[jjj]

Hey Folks,

I got a serious problem with a special https server...

It's certificate is signed by thawte...
thawte's CA certificates are included in Panther's shipping keychains.

Nevertheless, if I try to access https://bds.mercedes-benz.com/
safari tells me that it's unable to establish a secure connection.

So I tried getting the cert with openssl :

openssl s_client -showcerts -connect bds.mercedes-benz.com:443

with the following "success" :

CONNECTED(00000003)
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
30531:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:424:



So I tried some variation :

openssl s_client -ssl3 -connect bds.mercedes-benz.com:443

now with 'normal' success!

So... why is it working with ssl3, but not with v2.... strange.


Well.... why does safari have such a great problem with this page that it doesn't even
ask whether to continue or not ?

I also tried enabling the debug menu and activating lax certification checks... no success at all!


Summary :
- Safari has access to system wide keychains
- Thawte's certificates are included in these keychains
- openssl does only work with ssl3 ???
- Safari just denies access to the page.

Any helpful ideas ? Further thoughts ?
Is it a problem of safari's SSL implementation ? Or is it a problem of this website ?

BTW: IE and Mozilla are working flawlessly !

Thanks for every useful idea !

[DevNine]

I have the exact same problems with https and safari. I'm running 10.3.7.

[Catfish_Man]

No idea if this is related, but one machine I have access too has started having pretty much *every* site with a certificate pop up a warning saying it's expired. Any ideas on why/what to do about it? (This is mostly Camino, but I believe I checked Safari as well)