Dedicated SSL certificates are not compatible with OS X 10.9 + Safari 7


#1

Despite the claim that dedicated certificates work with OS X 10.6 or later, there is an exception: Anyone running OS X 10.9 will hear Safari 7.1 complain that it can’t verify the identity of your website. This currently affects 0.28% of internet users according to netmarketshare.com.

The suggested workaround from Cloudflare support is to ask 0.28% of the internet population to upgrade their systems or install a new root certificate.


#2

I’m intrigued. Why does this specific combination of OS X and Safari not accept the certificate?


#3

Good question. It actually might apply to later versions of Safari on OS X 9 as well. Baltimore CyberTrust Root from Digicert is the problem certificate.

Also mentioned in the support ticket is that Cloudflare is presenting an ECDSA certificate first, which Safari 7 does not support. But that should be negotiated down, which seems to work fine in older macs (I’ve tested on 10.6 w/ Safari 5.1 with no problems).


#4

Well, I would highly suggest keeping your OS updated. :grinning:

But I just checked OS X Maverick (v10.9.4) Trust Store List:

and, Baltimore CyberTrust Root with Subject Key Identifier E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0 is included.

The dedicated certs are provided using these intermediate certificate:

  • CloudFlare Inc RSA CA-1
  • CloudFlare Inc ECC CA-2
  • CloudFlare Inc Compatibility CA-3

Both the RSA and ECC intermediate are signed using Baltimore CyberTrust Root with Subject Key Identifier E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0. While the Compatibility intermediate is signed using GTE CyberTrust Global Root with SHA1 D4DE20D05E66FC53FE1A50882C78DB2852CAE474. Per the Apple Support link above, both certificate are included in OS X Maverick Trust Root. Please check your Trust Store for the presence of this certificates.


#5

Thanks tanto259,

The certificate is present but somehow invalid, which prompted Cloudflare to suggest reinstalling the root.

I’m not sure why the one in the OS does not validate, but the issue was reported by a customer and is reproduceable on BrowserStack’s Mavericks instance. It was also reproduced by Cloudflare support on whatever setup they use.


#6