After spending the last year and a half in going between hosting company, client, and PCI compliance firm, I succeeded at becoming PCI compliant. That means we can take credit card orders securely.
The cost? Safari (you know, Apple computers and iPhones?) can not check out on our shiny system. The complaints of the users of these devices have led to this blog post.
The layout of our server:
To test, I am using Safari 5.1.2 (latest version) on Windows XP (virtual machine). The booking.php file loads over https://, BUT none of the .js files will.
That’s right, if you type in the direct URL to the .js file you are greeted with this message:
Safari can’t open the page.
Safari can’t open the page “https://www.[our-domain].com/shopping/js/jquery.min.js” because Safari can’t establish a secure connection to the server “www.[our-domain].com”.
Switch back to /shopping/booking.php. Yep, it loads the HTML code. The certificate chain is installed correctly.
After digging around, there seem to be a few possible causes:
- Parental Controls
- Client Side Corrupted Revocation List
- Proxy Settings
- Server-enabled SSL Ciphers
Since I am on Windows and am not using a proxy, it does not appear that options #1-3 could be affecting my tests, so I opened up the .htaccess file:
# See http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
Correcting the problem involved enabling MD5 and MEDIUM ciphers, neither of which is allowed in PCI compliance:
Yet without both of these “ciphers” enabled, Safari refused to load the .js files.
This leaves me with the choice of whether to remain PCI compliant or to allow users to check out. If anyone has a solution to this problem, I am all ears. Hopefully the post will cut down debugging time for other developers.
Submitted by Anonymous on
You could always check the UA, if it is Safari, cat the .js file with the script tag right in the php code.
Then again, you probably already though of that..
Submitted by Chris on
Yeah, the user agent is a good 90’s hack… unless you work for Microsoft (their CRM does this). There are anonymizers, such as some proxies, that remove it, and Safari allows UA modification in their Developer options.
Thanks for the suggestion though. It may be worth doing this in some situations.