Safari can't establish secure connection - but site works on all other browsers

coppertop

Member
Apr 30, 2020
7
1
3
Canada
cPanel Access Level
Website Owner
Mac users browsing on Safari are getting the message "Safari can't open the page "my website" because Safari can't establish a secure connection to the server "my domain name".

The site is working on all other browsers.

3 of my students are having the same issue, all using Mac laptops, all trying to browse on safari.

Does Mac/Safari need a different SSL?
 

Attachments

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,739
301
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Older versions of safari do not support TLS 1.2 which is default on new servers.


So for example, Mac OS X 10.8 only supports TLS 1.0. You have to decide how old a browser you want to support at the expense of security.
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
No as noted by @GOT:
Older versions of safari do not support TLS 1.2 which is default on new servers.



The article he sent actually references the following:
Note: Please note that certificates are not dependent on the protocols you have enabled or disabled, the protocols are determined by your server configuration and not by the certificates and will likely be managed by your server administrator or the appropriate IT staff within your organization.
Which clearly notes that the protocol is not dependent on the certificate. The deprecation notice is to explain which protocols are to be used on servers primarily for PCI compliance standards. Sectigo/Comodo also announced something similar: TLS 1.0 is no longer used to secure communications | PCI Compliance


This is essentially a decision you need to make as a provider - do you force them to use a different browser for the sake of security or do you allow older/potentially insecure protocols - the decision is up to you but in order to allow compatibility with older versions of Safari you need to allow TLSv1.0 which personally I would not do but that's my 2 cents.
A more informative article from globalsign that details the security risk for allowing TLS v1.0 can be found here It’s Time to Disable TLS 1.0 (and All SSL Versions) If You Haven’t Already

To reiterate - this has absolutely nothing to do with your SSL certificate -it's specific to the protocols the server supports. It is also absolutely not advised to put your server at risk to allow these protocols as opposed to requiring your users to use a browser that supports a modern cryptographic protocol - keep in mind that SSLv1.0 was introduced in 1995
 

coppertop

Member
Apr 30, 2020
7
1
3
Canada
cPanel Access Level
Website Owner
No as noted by @GOT:





The article he sent actually references the following:

Which clearly notes that the protocol is not dependent on the certificate. The deprecation notice is to explain which protocols are to be used on servers primarily for PCI compliance standards. Sectigo/Comodo also announced something similar: TLS 1.0 is no longer used to secure communications | PCI Compliance


This is essentially a decision you need to make as a provider - do you force them to use a different browser for the sake of security or do you allow older/potentially insecure protocols - the decision is up to you but in order to allow compatibility with older versions of Safari you need to allow TLSv1.0 which personally I would not do but that's my 2 cents.
A more informative article from globalsign that details the security risk for allowing TLS v1.0 can be found here It’s Time to Disable TLS 1.0 (and All SSL Versions) If You Haven’t Already

To reiterate - this has absolutely nothing to do with your SSL certificate -it's specific to the protocols the server supports. It is also absolutely not advised to put your server at risk to allow these protocols as opposed to requiring your users to use a browser that supports a modern cryptographic protocol - keep in mind that SSLv1.0 was introduced in 1995
Thank you for your insight!
 

nosajix

Well-Known Member
Jul 30, 2005
65
3
158
So does that mean that google and apple.com use TLS 1.0 because their websites load no problem.