Jacob Luebbers

Safari < 9 on IOS - SHA384/ECDSA signature support

Discussion created by Jacob Luebbers on Feb 3, 2016


   Safari 8.0 or earlier on IOS 8.4 or earlier doesn't appear to support ECDSA certs signed with an SHA384 signature (shown in the client capabilities here: Qualys SSL Labs - Projects / User Agent Capabilities: Safari 8 / iOS 8.4)


Yet going back as far as IOS 7 that OS supports a number of root certs signed with ECDSA/SHA384 - https://support.apple.com/en-au/HT203065


So I'm guessing this is a Safari rather than IOS issue, correct? Does anyone know if it only affects Safari on IOS or also Safari on other platforms?


This poses a problem for ECDSA cert deployment for older Safari/IOS clients as most CAs that issue public ECDSA certs do so using a root or intermediate cert signed with ECDSA/SHA384. Does anyone know of a CA that offers an ECDSA/SHA256-only cert chain?