when setting up an Apache server with with both an ECDSA cert and an RSA cert, I get puzzling results with SSL Labs when I add weak TLS_RSA_WITH_AES_128|256_CBC_SHA RSA based ciphers to the end of the list Safari clients now negociate ciphers based on the RSA certificate and no longer the ECDSA one. This just drives me crazy how on hell is this possible?
SSL Labs result (without TLS_RSA) looks OK, Java 6u45 & OpenSSL 0.9.8y are dead but that is expected at this point.
SSL Labs result (TLS_RSA) looks weird, Java 6u45 & OpenSSL 0.9.8y are working, but what happened to Safari 5.1.9 to Safari 7, why would these clients drop the ECDSA cert in favor of the RSA one, and Safari 8 is still using the ECDSA cert?!?
This latest config can be tested here SSL Server Test: dual.ssl-tls.info (Powered by Qualys SSL Labs) for a while.