Generate a host key
First, make a home for the new SSL files. I use /etc/apache2/ssl. Open up a terminal window, cd to the new directory and issue the following command to create a host key file.
sudo ssh-keygen -f host.key
Generate a certificate request file
This command create a certificate request file. A certificate request file contains information about your organization that will be used in the SSL certificate.
sudo openssl req -new -key host.key -out request.csr
Create the SSL certificate
Create a self signed SSL certificate using the request file.
sudo openssl x509 -req -days 365 -in request.csr -signkey host.key -out server.crt
Configure Apache
Create a backup of /etc/apache2/httpd.conf.
Append the contents of /etc/apache2/extra/httpd-ssl.conf to /etc/apache2/httpd.conf.
In /etc/apache2/httpd.conf, make sure the loading of SSL is enabled (remove the #)
LoadModule ssl_module libexec/apache2/mod_ssl.so
Also, edit SSL section to use the new certificate.
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/host.key
Check the config and restart Apache to try the new certificate.
sudo apachectl configtest
sudo apachectl restart
Thanks to the House of Ding and Matt Langtree for providing much of this solution.
Unfortunately, AFAIK, this setting does not exist. (It doesn't exist in another WebKit browser, either: Google Chrome. You can do this in Firefox, though, using 'about:config'.)
About hard-coded cipher priorities/support for the SSL/TLS handshake:
I tested that Safari does not support 40-bit RC4 encryption with an MD5 hash. This means that it does not support some products that are required by US export law to use low (<64-bit) encryption.
See also:
http://www.carbonwind.net/blog/post/A-quick-look-over-some-browsers-and-their-SSLTLS-implementations.aspx
"Initially, in SSL/TLS negotiations, TLS with RSA and weak 128-bit RC4 keys are offered first and second in the cipher order. Worse, ECC (Elliptical Curve Cryptography), AES (Advanced Encryption Standard), and 256-bit keys are never offered as potential cipher choices; further, MD5 is offered first and more frequently than SHA-1, when it should be the other way around."
By Roger A. Grimes, Infoworld Feb 1, 2009 1:19 pm
http://www.pcworld.com/article/158706/how_secure_is_safari.html
Best Answer
This is a certificate issue. In my
.mbsyncrc
, I included asCertificateFile
the entire certificate chain (Gmail -> Google, Google -> GeoTrust, GeoTrust -> Equifax). This started intermittently throwing the error you're describing around the time I fixed the curl SSL issue.To fix it, use only the Gmail certificate in your
.mbsyncrc
. If you're unsure which of the certificates is the Gmail one, run:and use the resulting
gmail.crt
file.