[BlueOnyx:25964] Re: 5211 SNI Https not working on Iphone ios 16

kmrichardson at rogers.com kmrichardson at rogers.com
Wed Feb 8 16:59:43 -05 2023 

On the R5210 I'm running the nginx with the SSL and my pages display with
safari and with chrome
On my Iphone IOS version 16.2



-----Original Message-----
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Michael
Stauber
Sent: February 8, 2023 4:20 PM
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:25963] Re: 5211 SNI Https not working on Iphone ios 16

Hello,

> On the Iphone I get the page can not be displayed
> 
> Using Safari browser
> 
> And on Chrome on the Iphone page can't be displayed
Many thanks for testing it out! So we do have a problem there.

The question is: What could it be?

I checked the Nginx and Apache access and error logfiles. The error logfiles
had no entry that I could associate with any of the requests that were made
from Iphones or Chrome.

The access logs reported this:

Nginx:
======

82.1.0.0 - - [08/Feb/2023:14:08:32 -0500] "GET /test.php HTTP/2.0" 200
101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148
Safari/604.1" "-"
82.1.0.0 - - [08/Feb/2023:14:08:33 -0500] "GET /test.php HTTP/2.0" 200
85731 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148
Safari/604.1" "-"
82.1.0.0 - - [08/Feb/2023:14:08:39 -0500] "GET /test.php HTTP/2.0" 200
101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148
Safari/604.1" "-"
82.1.0.0 - - [08/Feb/2023:14:08:53 -0500] "GET /test.php HTTP/2.0" 200
101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148
Safari/604.1" "-"
82.1.0.0 - - [08/Feb/2023:14:08:55 -0500] "GET /test.php HTTP/2.0" 200
101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148
Safari/604.1" "-"
173.32.0.0 - - [08/Feb/2023:14:24:32 -0500] "GET /test.php HTTP/2.0" 200
101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Mobile/15E148
Safari/604.1" "-"
173.32.0.0 - - [08/Feb/2023:14:24:33 -0500] "GET /test.php HTTP/2.0" 200
101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.2 Mobile/15E148
Safari/604.1" "-"
173.32.0.0 - - [08/Feb/2023:14:25:30 -0500] "GET /test.php HTTP/2.0" 200
81643 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/109.0.5414.112
Mobile/15E148 Safari/604.1" "-"
173.32.0.0 - - [08/Feb/2023:14:25:33 -0500] "GET /test.php HTTP/2.0" 200
81643 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_2 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/109.0.5414.112
Mobile/15E148 Safari/604.1" "-"
89.35.0.0 - - [08/Feb/2023:14:36:58 -0500] "GET /test.php HTTP/2.0" 200
101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_1 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148
Safari/604.1" "-"
89.35.0.0 - - [08/Feb/2023:14:37:09 -0500] "GET /test.php HTTP/2.0" 200
101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_1 like Mac OS X)
AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148
Safari/604.1" "-"


Apache:
========

5211r1.smd.net 82.1.0.0 - - [08/Feb/2023:14:08:32 -0500] "GET /test.php
HTTP/1.1" 200 101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac
OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3
Mobile/15E148 Safari/604.1"
5211r1.smd.net 82.1.0.0 - - [08/Feb/2023:14:08:33 -0500] "GET /test.php
HTTP/1.1" 200 101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac
OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3
Mobile/15E148 Safari/604.1"
5211r1.smd.net 82.1.0.0 - - [08/Feb/2023:14:08:39 -0500] "GET /test.php
HTTP/1.1" 200 101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac
OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3
Mobile/15E148 Safari/604.1"
5211r1.smd.net 82.1.0.0 - - [08/Feb/2023:14:08:53 -0500] "GET /test.php
HTTP/1.1" 200 101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac
OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3
Mobile/15E148 Safari/604.1"
5211r1.smd.net 82.1.0.0 - - [08/Feb/2023:14:08:55 -0500] "GET /test.php
HTTP/1.1" 200 101893 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3 like Mac
OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3
Mobile/15E148 Safari/604.1"
5211r1.smd.net 173.32.0.0 - - [08/Feb/2023:14:24:32 -0500] "GET /test.php
HTTP/1.1" 200 101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS
16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko)
Version/16.2 Mobile/15E148 Safari/604.1"
5211r1.smd.net 173.32.0.0 - - [08/Feb/2023:14:24:33 -0500] "GET /test.php
HTTP/1.1" 200 101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS
16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko)
Version/16.2 Mobile/15E148 Safari/604.1"
5211r1.smd.net 173.32.0.0 - - [08/Feb/2023:14:25:29 -0500] "GET /test.php
HTTP/1.1" 200 101914 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS
16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko)
CriOS/109.0.5414.112 Mobile/15E148 Safari/604.1"
5211r1.smd.net 173.32.0.0 - - [08/Feb/2023:14:25:33 -0500] "GET /test.php
HTTP/1.1" 200 101914 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS
16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko)
CriOS/109.0.5414.112 Mobile/15E148 Safari/604.1"
5211r1.smd.net 89.35.0.0 - - [08/Feb/2023:14:36:58 -0500] "GET /test.php
HTTP/1.1" 200 101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_1 like Mac
OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1
Mobile/15E148 Safari/604.1"
5211r1.smd.net 89.35.0.0 - - [08/Feb/2023:14:37:09 -0500] "GET /test.php
HTTP/1.1" 200 101898 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 16_1 like Mac
OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1
Mobile/15E148 Safari/604.1"

As you can see:

In all cases the web servers responded with "200" (OK) and the content
length also indicates that the expected content was served.

Likewise: SSLLabs gives the domain's SSL implementation a straight "A":

https://www.ssllabs.com/ssltest/analyze.html?d=5211r1.smd.net&hideResults=on

It should work with Safari 9 or iOS 9 or greater, although they don't have a
test for iOS 16 (yet).

HOWEVER - and about that I am scratching my head: In the certificate chain
for "Path #2" in the 4th spot it lists a "DST Root CA X3" as being "In trust
store" and that certificate expired in 2021.

In "Path #1" it reports no errors.

For what it's worth: A 5210R with the same setup (Nginx SSL proxy, LE
cert) reports the same:

https://www.ssllabs.com/ssltest/analyze.html?d=5210r1.smd.net&hideResults=on

It has a similar URL for testing: https://5210r1.smd.net/test.php

Bottom line: I don't know yet what might cause this.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list