How to make SSL compatible with Video play in Safari

Server
1

Hello @schoen @sahsanu @jmorahan

I met headache issue with video play only in Safari after SSL setup. Videos play well both in SSL or non-SSL status in Chrome and firefox. I supposed the reason seems related to incorrect intermediate certificates setup, as per at technical topic iphone - Cannot view Quicktime movies over HTTPS in Safari or UIWebView - Stack Overflow

so, I asked an technical to setup new wildcard SSL for our multisite(Payable work for wildcard SSL deploy - #12 by jmorahan), and created a fresh site with no plugin activated, you may find SSL work well:
SSL Checker

Here is my test process:

  1. by default, the site was created http://videotest.lovcour.com/(not https), Screenshot by Lightshot

2.I check the root site, it is still http://lovcour.com, but not https://lovcour.com, I just support it is saved in database but I can not change it.

3.if access the subsite: both https or http is accessible ://videotest.lovcour.com

4.Upload a standard mp4 video sample downloaded from a professional development site which guarantee the video is support in all of browser,

  1. the default url of the uploaded video is http://videotest.lovcour.com/mp4_video/, it is not https, please check the screenshot: Screenshot by Lightshot, and the video is play both frontend and backend, and Here is frontend screenshot: Screenshot by Lightshot

6.Here is screenshot: Screenshot by Lightshot, which show I changed the site url from http://videotest.lovcour.com/ to https://videotest.lovcour.com/.

The video URL will automatically change from http to https, here is screenshot: Screenshot by Lightshot

As you see, the video will not play both at backend and frontend, and just show the error as:

Media error: Format(s) not supported or source(s) not foundmejs.download-file: https://videotest.lovcour.com/wp-content/uploads/sites/59/2018/05/mp4_video.mp4?_=1

I would like to have your professional suggestion on SSL compatible setting for Safari, how to resolve it please?

Thanks so much.

Alex

2

I would like to see if there is anything difference in the connections themselves…
So, please detail:
On which version(s) of Safari does this occur?
Which TLS protocols/ciphers are the working, and non-working, clients negotiating.

(Let me know if you need any assistance with gathering any of that info.)

3

@rg305

Thanks, the version of safari: Version 11.0.3 (12604.5.6.1.1, screenshot: Screenshot by Lightshot

I knot TLS is something of Handshake Protocol, but I do not know it on my site.

Would like to help? how to resolve please?

Alex

4

Do you have access to modify the vhost config file for:
videotest.lovcour.com:443

5

oh, yes, but I am not technical background, would like to help please?

Alex

6

taking some of the next steps offline

7

Hello All,

I am back.

I checked our SSL compatible at


and
https://www.ssllabs.com/ssltest/

Would you please let me know whether there is any improper setting which might cause the issue of video playing in Safari?

Alex

8

What I’m currently seeing on https://videotest.lovcour.com/ is a circular redirect, where https://videotest.lovcour.com/ redirects to itself instead of serving any site content.

9

Hi @schoen,

Thanks, please check our ssl compatible:

https://www.ssllabs.com/ssltest/analyze.html?d=lovcour.com&latest

and let check this video page:
https://lovcour.com/testvideo/testvideo.html
or directly this video,

it is uploaded by ftp, and it simple under nginx, so no related to wordpress.

what you think please?

10

@schoen @rg305,

what is your comment upon our SSL cert compatible:

https://www.ssllabs.com/ssltest/analyze.html?d=lovcour.com&latest

I would like to check the reason one by one…

thanks

11

@rg305

Is there any configuration change needed to change to Https in Nginx ?

12

SHOULD BE DISABLED:
TLS 1.1 Yes
TLS 1.0 Yes
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)

CAN BE DISABLED:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)

GOOD TO HAVE:
Strict Transport Security (HSTS)
DNS CAA No
Supported Named Groups secp256r1 (add more)

14

Ok, but how to set please???

15

The simplest and most effective way that I have found is to add “:!SHA1” to the end of your SSLCipherSuite list.
That will remove all the ciphers that end with “_SHA” from the supported list.

17

do you think those setting is related to video issue please??

18

No.
I was able to serve your sample video file from another server to a Safari client without any problem.
That same Safari client could not see the that same video from your server.

19

@rg305

he reason why I asked this question is that I just read an article which should safari need strictly SSL…

so I just thought if there are different between our SSL and the one of your demo site, that might be a reason…?

or, there is extra configuration needed in Nginx conf, since that video is uploaded to Nginx for test by Ftp, so it is completely no related to wordpress.

20

I tried it in Apache 2.4.25 and nginx 1.12.2 (both worked with Safari)

21

@rg305
so, what is your Nginx conf setting?

22

both using the default mime.types file
which includes:
nginx =
video/mp4 mp4;

Apache =
video/mp4 mp4 mp4v mpg4