AnsweredAssumed Answered

Dual ECDSA/RSA certs weird Safari results?

Question asked by Valérie Martin on Sep 4, 2019
Latest reply on Sep 5, 2019 by Rob Moss

Hello,

when setting up an Apache server with with both an ECDSA cert and an RSA cert, I get puzzling results with SSL Labs when I add weak TLS_RSA_WITH_AES_128|256_CBC_SHA RSA based ciphers to the end of the list Safari clients now negociate ciphers based on the RSA certificate and no longer the ECDSA one. This just drives me crazy how on hell is this possible?

 

Without TLS_RSA

 

With TLS_RSA

 

SSL Labs result (without TLS_RSA) looks OK, Java 6u45 & OpenSSL 0.9.8y are dead but that is expected at this point.

SSL Labs result (TLS_RSA) looks weird, Java 6u45 & OpenSSL 0.9.8y are working, but what happened to Safari 5.1.9 to Safari 7, why would these clients drop the ECDSA cert in favor of the RSA one, and Safari 8 is still using the ECDSA cert?!?

 

This latest config can be tested here SSL Server Test: dual.ssl-tls.info (Powered by Qualys SSL Labs) for a while.

Outcomes