After spending the last year and a half in going between hosting company, client, and PCI compliance firm, I succeeded at becoming PCI compliant. That means we can take credit card orders securely.
The cost? Safari (you know, Apple computers and iPhones?) can not check out on our shiny system. The complaints of the users of these devices have led to this blog post.
The layout of our server:
/shopping/booking.php /shopping/js/jquery.min.jsn/shopping/js/bookings.js
To test, I am using Safari 5.1.2 (latest version) on Windows XP (virtual machine). The booking.php file loads over https://, BUT none of the .js files will.
That’s right, if you type in the direct URL to the .js file you are greeted with this message:
Safari can't open the page.
Safari can't open the page "https://www.[our-domain].com/shopping/js/jquery.min.js" because Safari can't establish a secure connection to the server "www.[our-domain].com".
Switch back to /shopping/booking.php. Yep, it loads the HTML code. The certificate chain is installed correctly.
After digging around, there seem to be a few possible causes:
Since I am on Windows and am not using a proxy, it does not appear that options #1-3 could be affecting my tests, so I opened up the .htaccess file:
<IfModule mod_ssl.c>
# See http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.htmln #SSLHonorCipherOrder O
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4+RSA:HIGH:!MD5:!aNULL:!eNULL:!LOW:!MEDIUM:!EXP:!SSLv2:!EDH:!AESGCM
SSLRenegBufferSize 4194304;
</IfModule>
Correcting the problem involved enabling MD5 and MEDIUM ciphers, neither of which is allowed in PCI compliance:
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4+RSA:HIGH:MD5:!aNULL:!eNULL:!LOW:MEDIUM:!EXP:!SSLv2:!EDH:!AESGCM:
Yet without both of these “ciphers” enabled, Safari refused to load the .js files.
This leaves me with the choice of whether to remain PCI compliant or to allow users to check out. If anyone has a solution to this problem, I am all ears. Hopefully the post will cut down debugging time for other developers.
** NOTE: I realize that requiring JavaScript support for checkout is not perfect. In our situation, we have a lot of “bookings” available and really do need a way to filter them for our users. That is why we require it.