I'm having difficulty using an X.509 certificate to do client authentication from Safari (9.0.1, as on OS X 10.10.5).
The symptom is that I go to a https://... site which does client certificate checking, but Safari appears to simply hang as if it were waiting from a response from the server. In the error console it reports Failed to load resource: cancelled (and on one of the servers I've tried this with, which I have control over, the relevant logs report that the browser appeared to abruptly close the connection – there's no other indication there of a protocol botch).
The certificate is valid and has a good CA signature, as verified by openssl, and by the fact that it works as expected with Firefox, Chrome, and curl. Note that Chrome and OS X curl do use the Keychain, and Firefox doesn't, so there's no common factor there. Also, OS X curl is built against SecureTransport as opposed to OpenSSL, so is, I think, using the same SSL library as Safari (I don't know about Chrome in this respect).
This isn't a server-side problem, because others using the same version of Safari can get to the same URL with certificates from the same CA. Also, I can connect straightforwardly to that site using Chrome, which of course also uses WebKit, and which uses the same certificate, via the Keychain.
The nearest thing to a diagnostic I can find is that a message appears in the Console whenever I do this, saying
2015-11-13 18:43:53.329 Keychain Access[1373]: SOSCCThisDeviceIsInCircle SOSCCThisDeviceIsInCircle!! 58
(the final number increments each time).
I have been able to find nothing at all relating to that string, apart from passing mentions in a few clearly puzzled forum posts.
I have tried deleting identity preferences from Keychain Access without success, tried deleting similar (expired) certificates from the keychain, and tried exporting deleting and re-importing the relevant certificate; all without effect.
I'm stumped! Does anyone have any suggestions? Since this appears to be a Safari-specific problem, I'm asking here before trying on the security SE.
Best Answer
I like to use the Keychain Access app to troubleshoot cryptographic trust issues and also find making a clean VM of OS X or at least a new user account helps to make sure I know I'm starting from a known trust chain.
From there you can use the SSL tool to evaluate things and start to pick apart what is failing or succeeding. Bouncing between that tool and Safari usually is worthwhile in sorting errors.