Safari constantly reload pages with custom CA certificate

Question

I am trying to access an HTTPS page using a 11.3 version Ipad. The server certificates are signed by a custom CA, and thus, it causes Safari to show the "untrusted site" message. But if I install the CA certificates profile, and mark it as a trusted CA, when I try to hit the same pages, Safari goes all berserk constantly reloading the page 200 times a minute without actually showing the page. This isn't a constant behavior, the same tablet may work for some addresses and not for other ones (both using the same CA signing certs).

Is anybody aware of any known issues on Safari regarding non-bundle CA certificates?

We are also using non default ports (non 443) for the HTTPS server, in case this is of some significance.

I have little to none knowledge about ipad and safari, is there any way to get safari logs from the ipad?

Thank you!

Answer 1

After some deep digging in Wireshark traces, I found a difference in the SSL handshake between a server where safari was behaving as expected, and a server where the same safari was behaving erratically.

The working connection looked like:

And the non working one:

I took a deep dive into the Server Hello and find a slight difference:

Working:

Non working:

The server on the working scenario was providing two of the certificates in the signing chain, while the other server was providing only the server certificate. Seems that Safari does not like the last one.

I modified the server configuration to provide also the issuer cert in the cert chain and the bad server started to work fine.