Safari 使用自定义 CA 证书不断重新加载页面 [英] Safari constantly reload pages with custom CA certificate
问题描述
我正在尝试使用 11.3 版 Ipad 访问 HTTPS 页面.服务器证书由自定义 CA 签名,因此,它会导致 Safari 显示不受信任的站点"消息.但是,如果我安装 CA 证书配置文件,并将其标记为受信任的 CA,当我尝试点击相同的页面时,Safari 会疯狂地每分钟重新加载页面 200 次,而实际上并未显示页面.这不是一个恒定的行为,同一个平板电脑可能适用于某些地址而不适用于其他地址(两者都使用相同的 CA 签名证书).
I am trying to access an HTTPS page using a 11.3 version Ipad. The server certificates are signed by a custom CA, and thus, it causes Safari to show the "untrusted site" message. But if I install the CA certificates profile, and mark it as a trusted CA, when I try to hit the same pages, Safari goes all berserk constantly reloading the page 200 times a minute without actually showing the page. This isn't a constant behavior, the same tablet may work for some addresses and not for other ones (both using the same CA signing certs).
是否有人知道 Safari 上关于非捆绑 CA 证书的任何已知问题?
Is anybody aware of any known issues on Safari regarding non-bundle CA certificates?
我们还为 HTTPS 服务器使用非默认端口(非 443),以防万一.
We are also using non default ports (non 443) for the HTTPS server, in case this is of some significance.
我对 ipad 和 safari 知之甚少,有什么办法可以从 ipad 中获取 safari 日志吗?
I have little to none knowledge about ipad and safari, is there any way to get safari logs from the ipad?
谢谢!
推荐答案
在对 Wireshark 跟踪进行一些深入挖掘后,我发现 safari 行为符合预期的服务器与具有相同 safari 的服务器之间的 SSL 握手存在差异行为不正常.
After some deep digging in Wireshark traces, I found a difference in the SSL handshake between a server where safari was behaving as expected, and a server where the same safari was behaving erratically.
工作连接看起来像:
和不工作的:
我深入研究了 Server Hello 并发现了细微差别:
I took a deep dive into the Server Hello and find a slight difference:
工作:
不工作:
工作场景中的服务器提供签名链中的两个证书,而另一台服务器仅提供服务器证书.似乎 Safari 不喜欢最后一个.
The server on the working scenario was providing two of the certificates in the signing chain, while the other server was providing only the server certificate. Seems that Safari does not like the last one.
我修改了服务器配置以在证书链中也提供颁发者证书,并且坏服务器开始正常工作.
I modified the server configuration to provide also the issuer cert in the cert chain and the bad server started to work fine.
这篇关于Safari 使用自定义 CA 证书不断重新加载页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
