AnsweredAssumed Answered

dual certificates (safari bug?)

Question asked by Zoltán Halassy on Apr 24, 2014
Latest reply on Feb 10, 2016 by tlussnig

There is a site which uses dual certificates:

 

https://www.ssllabs.com/ssltest/analyze.html?d=hh.trucktracking.hu

 

The server has an order preference, it lists ECDSA ciphers first, then the RSA ones. On the handshake simulation section the Safari browsers seem to catch up the RSA ciphers instead of the ECDSA ones. Is that a bug of the test or the safari browser? Safari lists ECDSA ciphers first, then the RSA ones, it also supports secp384r1. If I remove the RSA ciphers, Safari would use ECDSA.

 

Related question: I can imagine these dual certificates will be widely used, wouldn't be a good thing to show the certificate chain for every certificate? To obtain all of them, the test would need to connect to the site first only with ECDSA ciphers in the Client Hello, then only with RSA ciphers in the Client Hello, lastly (if someone still uses them) only with DSS ciphers in the Client Hello.

Outcomes