[BlueOnyx:25963] Re: 5211 SNI Https not working on Iphone ios 16

Michael Stauber mstauber at blueonyx.it
Wed Feb 8 16:19:54 -05 2023 

Hello,

> On the Iphone I get the page can not be displayed
> 
> Using Safari browser
> 
> And on Chrome on the Iphone page can't be displayed
Many thanks for testing it out! So we do have a problem there.

The question is: What could it be?

I checked the Nginx and Apache access and error logfiles. The error 
logfiles had no entry that I could associate with any of the requests 
that were made from Iphones or Chrome.

The access logs reported this:

Nginx:
======

82.1.0.0 - - [08/Feb/2023:14:08:32 -0500] "GET /test.php HTTP/2.0" 200 
101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac OS X) 
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148 
Safari/604.1" "-"
82.1.0.0 - - [08/Feb/2023:14:08:33 -0500] "GET /test.php HTTP/2.0" 200 
85731 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac OS X) 
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148 
Safari/604.1" "-"
82.1.0.0 - - [08/Feb/2023:14:08:39 -0500] "GET /test.php HTTP/2.0" 200 
101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac OS X) 
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148 
Safari/604.1" "-"
82.1.0.0 - - [08/Feb/2023:14:08:53 -0500] "GET /test.php HTTP/2.0" 200 
101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac OS X) 
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148 
Safari/604.1" "-"
82.1.0.0 - - [08/Feb/2023:14:08:55 -0500] "GET /test.php HTTP/2.0" 200 
101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac OS X) 
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148 
Safari/604.1" "-"
173.32.0.0 - - [08/Feb/2023:14:24:32 -0500] "GET /test.php HTTP/2.0" 200 
101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) 
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Mobile/15E148 
Safari/604.1" "-"
173.32.0.0 - - [08/Feb/2023:14:24:33 -0500] "GET /test.php HTTP/2.0" 200 
101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) 
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Mobile/15E148 
Safari/604.1" "-"
173.32.0.0 - - [08/Feb/2023:14:25:30 -0500] "GET /test.php HTTP/2.0" 200 
81643 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) 
AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/109.0.5414.112 
Mobile/15E148 Safari/604.1" "-"
173.32.0.0 - - [08/Feb/2023:14:25:33 -0500] "GET /test.php HTTP/2.0" 200 
81643 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X) 
AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/109.0.5414.112 
Mobile/15E148 Safari/604.1" "-"
89.35.0.0 - - [08/Feb/2023:14:36:58 -0500] "GET /test.php HTTP/2.0" 200 
101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_1 like Mac OS X) 
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148 
Safari/604.1" "-"
89.35.0.0 - - [08/Feb/2023:14:37:09 -0500] "GET /test.php HTTP/2.0" 200 
101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_1 like Mac OS X) 
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148 
Safari/604.1" "-"


Apache:
========

5211r1.smd.net 82.1.0.0 - - [08/Feb/2023:14:08:32 -0500] "GET /test.php 
HTTP/1.1" 200 101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like 
Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 
Mobile/15E148 Safari/604.1"
5211r1.smd.net 82.1.0.0 - - [08/Feb/2023:14:08:33 -0500] "GET /test.php 
HTTP/1.1" 200 101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like 
Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 
Mobile/15E148 Safari/604.1"
5211r1.smd.net 82.1.0.0 - - [08/Feb/2023:14:08:39 -0500] "GET /test.php 
HTTP/1.1" 200 101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like 
Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 
Mobile/15E148 Safari/604.1"
5211r1.smd.net 82.1.0.0 - - [08/Feb/2023:14:08:53 -0500] "GET /test.php 
HTTP/1.1" 200 101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like 
Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 
Mobile/15E148 Safari/604.1"
5211r1.smd.net 82.1.0.0 - - [08/Feb/2023:14:08:55 -0500] "GET /test.php 
HTTP/1.1" 200 101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like 
Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 
Mobile/15E148 Safari/604.1"
5211r1.smd.net 173.32.0.0 - - [08/Feb/2023:14:24:32 -0500] "GET 
/test.php HTTP/1.1" 200 101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 
16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) 
Version/16.2 Mobile/15E148 Safari/604.1"
5211r1.smd.net 173.32.0.0 - - [08/Feb/2023:14:24:33 -0500] "GET 
/test.php HTTP/1.1" 200 101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 
16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) 
Version/16.2 Mobile/15E148 Safari/604.1"
5211r1.smd.net 173.32.0.0 - - [08/Feb/2023:14:25:29 -0500] "GET 
/test.php HTTP/1.1" 200 101914 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 
16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) 
CriOS/109.0.5414.112 Mobile/15E148 Safari/604.1"
5211r1.smd.net 173.32.0.0 - - [08/Feb/2023:14:25:33 -0500] "GET 
/test.php HTTP/1.1" 200 101914 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 
16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) 
CriOS/109.0.5414.112 Mobile/15E148 Safari/604.1"
5211r1.smd.net 89.35.0.0 - - [08/Feb/2023:14:36:58 -0500] "GET /test.php 
HTTP/1.1" 200 101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_1 like 
Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 
Mobile/15E148 Safari/604.1"
5211r1.smd.net 89.35.0.0 - - [08/Feb/2023:14:37:09 -0500] "GET /test.php 
HTTP/1.1" 200 101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_1 like 
Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 
Mobile/15E148 Safari/604.1"

As you can see:

In all cases the web servers responded with "200" (OK) and the content 
length also indicates that the expected content was served.

Likewise: SSLLabs gives the domain's SSL implementation a straight "A":

https://www.ssllabs.com/ssltest/analyze.html?d=5211r1.smd.net&hideResults=on

It should work with Safari 9 or iOS 9 or greater, although they don't 
have a test for iOS 16 (yet).

HOWEVER - and about that I am scratching my head: In the certificate 
chain for "Path #2" in the 4th spot it lists a "DST Root CA X3" as being 
"In trust store" and that certificate expired in 2021.

In "Path #1" it reports no errors.

For what it's worth: A 5210R with the same setup (Nginx SSL proxy, LE 
cert) reports the same:

https://www.ssllabs.com/ssltest/analyze.html?d=5210r1.smd.net&hideResults=on

It has a similar URL for testing: https://5210r1.smd.net/test.php

Bottom line: I don't know yet what might cause this.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list