In this article, Okta details an errant condition when end users attempt to enroll in Okta Verify for Desktop, and they are redirected to:

https://localhost:[OktaVerifyPortNumber]

Web page displays:

ERR_SSL_PROTOCOL_ERROR

 

• When end-users enroll in Okta Verify, Okta Verify will start listening on http://localhost:65112 when the enrollment shows:  "Check your browser".
• In a successful enrollment, a POST is made to http://localhost:65112/login/callback with the body of the response including <h1>Your identity is verified</h1>  <h2>You can close this browser tab</h2>.
• However, in this instance, the address bar of the browser displays the error:

https://localhost:65112/login/callback with ERR_SSL_PROTOCOL_ERROR. 

• When reviewing a Web Browser capture file (HAR) or directly in Developer Tools Network Trace within the browser, a message observed:

HTTP 307 Temporary redirect

... in response to the POST sent to http://localhost:65112/login/callback/ HTTP/1.1.

In the details, it may also be seen:

• • Non-Authoritative-Reason: HSTS:

• • In the Callback Error, we can see the Request URL has been changed from http, to https:
     

• Okta Identity Engine (OIE)
• Okta Verify Enrollment
• Okta Verify Desktop for Windows or Mac

This indicates that the browser is redirecting from http to https when calls to the local host should not be.

This errant behavior is known to be caused under a few conditions. As detailed above with the HTTP 307 Redirects, this is due to a browser configuration setting for HSTS. Calls made to http://localhost - should not be switched from HTTP, to HTTPS. This is a known HTTP Strict Transport Security setting that is browser-specific.
 

Chrome

This setting can be found in Chrome under: chrome://settings/security
 

Edge

To opt to switch all navigations from HTTP to HTTPS see settings on edge://settings/privacy:
Disabling the Auto switching feature entirely will resolve this issue.
 

FireFox

Enable/Disable HTTPS-Only Mode

1. Click the menu button  and select Settings.
2. Select Privacy & Security from the left menu.
3. Scroll down to HTTPS-Only Mode.
4. Use the radio button to select whether to enable or disable HTTPS-Only Mode, or select to only enable it for private windows.

 


Another known cause of this error, which may not present with the HTTP 307 detailed above in the cause section of this article, can be caused by issues with bad SSL/TLS Certificates being cached. If the above solution does not resolve the error message, please try clearing the SSL/TLS Certificates, or Cache in the OS.

For Windows - Delete individually, or delete all SSL/TLS cache

1. Click on the start window and search for Internet options.
2. After opening the Internet options, tap on the Content tab in the top menu bar.
   
   1. target specific certificates for removal, in the Internet Properties pop-up window, choose Certificates. 

1. 2. To clear the entire cache, in the Internet Properties pop-up window, instead click on Clear SSL state right below the Certificates.

This will delete all the SSL certificates stored on the local device.
 

For Mac OS 

1. Go into the system options (Go).
2. Search for Utilities.
3. Tap on Keychain Access.
4. In the pop-up window, select System.
5. This will identify the SSL certificates stored on the local device. Click on the SSL Certificate(s) for the impacted site, and delete them.