Safari sends different list of supported ciphers for two URLs on the same domain

Question

Safari sends different list of supported ciphers for two URLs on the same domain

I

am having weird issue with Safari since IOS was upgraded to 10.2.1 on iPad. There are multiple URLs mapped to the same common name and they are pointed to the same VIP and then iPlanet (version 4.0.7) using the same certificate...they both use the same certificate with a common name. e.g. https://sit6.mydomain.com, https://sit14.mydomain.com are the URLs where sit14 throws error, the common name in the certificate is test.mydomain.com). For one URL, Safari consistently sends the list of 22 ciphers out of which TLS_RSA_WITH_3DES_EDE_CBC_SHA is supported by the iPlanet. All other ciphers in the list are not supported by the iPlanet version we have.

When I call the URL that fails on the SSL Hanshake, I see that Safari sends list of ciphers and none of them is supported by iPlanet.

One option we have is to just upgrade iPlanet to support lot more new ciphers. However, the concern is the inconsistent behavior between the two URLs. Again, the certificate on server has both URLs as alternate names, they both are intercepted by iPlanet's same instance which acts as proxy to a "Balance" server (second level proxy).

Can someone please help with this issue, it should either work for all URLs or none. The issue is happening only on Safari browser on iPad (v10.2.1), Chrome works fine on the same device. All other devices (iPhone, iMac, PC, Android) are working fine with both URLs.

Thanks

Posted on Feb 27, 2017 12:57 PM

Reply

Answer 1

Feb 28, 2017 6:59 AM in response to Diana.McCall

Hi,

Thanks for the response. We have already done all of that. The issue is the consistency...it always works on one domain and doesn't work on second. It says Safar couldn't establish secure connection. Both URLs have the same certificate.

The iPlanet version is old, 4.0.7 which supports old set of ciphers. When I run ssllabs.com/ssltest on the Safari, I don't see any ciphers that match the supported one on iPlanet. Based on this test it makes sense when the site doesn't work, the issue is, why does it work on some URLs. When I captured PCAP on iPlanet, for the ones that do not work, there is SSL handshake error. For the ones that work, the PCAP states that the handshake is done on TLS_RSA_WITH_3DES_EDE_CBC_SHA. This is very strange as if Safari doesn't support this cipher, how come it uses it for handshake for one URL and not the others.

Reply

Answer 2

Mar 6, 2017 11:18 AM in response to Lone Maverick

Anyone who would be able to help? Both URLs use the same certificate, same IP, same iPlanet instance but one works and the other one doesn't. For one URL, Safari sends 3DES cipher in the list of supported ciphers. It sends the list of supported ciphers minus 3DES for the other URL. Again, both URLs use the same certificate, they both are listed as Subject Alternative Names, both pointing to the same common name/ IP. Both URLs are handled by the same iPlanet instance.

Reply

Answer 3

Feb 27, 2017 2:25 PM in response to Lone Maverick

Hi. This could just be a glitch. Does it affect more than one iOS device? Have you tried clearing website data under Settings > Safari? You should also check the specific website in Advanced.

Reply