AnsweredAssumed Answered

Is CFCA's certificate not trusted by Apple and Java trust store or not?

Question asked by Genghuang Wang on Feb 14, 2018
Latest reply on Feb 15, 2018 by Bhushan Lokhande

Hello

 

I'm doing a server test by SSL Labs, and find that CFCA's certificate is not trusted by
Apple and Java trust store.

SSL Server Test: www.cfca.com.cn (Powered by Qualys SSL Labs) 

However, after a deeper review, I find that the certificate is only not trusted by older
versions of Safari(Apple browser) and Java, the newer version seems to trust it.

 

Say, older Java such as Java 6u45 and Java 7u25 doesn't trust it, but newer Java such as
Java 8u31 trusts it.


The Apple case is more complex. You could see the table below. Some old Apple device does
not trust it, such as old Safari on old OS X, or Apple ATS, say, Safari 5.1.9 / OS X 10.6.8 and

 Safari 6.0.4 / OS X 10.8.4, or Apple ATS 9 / iOS 9, but most new Apple device trusts it.

 

So, is it a partial distrust or fully distrust? If the newer Apple and newer Java have trusted it, why call it

"not trusted" in total?

 

Java 6u45 No SNI 2 Protocol mismatch (not simulated)
Java 7u25 Protocol mismatch (not simulated)

Safari 5.1.9 / OS X 10.6.8 Protocol mismatch (not simulated)
Safari 6.0.4 / OS X 10.8.4 R Protocol mismatch (not simulated)

 

Java 8u31 RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH
secp256r1 FS 3DES

Safari 6 / iOS 6.0.1 RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
ECDH secp256r1 FS 3DES
Safari 7 / iOS 7.1 R RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
ECDH secp256r1 FS 3DES
Safari 7 / OS X 10.9 R RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
ECDH secp256r1 FS 3DES
Safari 8 / iOS 8.4 R RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
ECDH secp256r1 FS 3DES
Safari 8 / OS X 10.10 R RSA 2048 (SHA256) TLS 1.2
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH secp256r1 FS 3DES
Safari 9 / iOS 9 R RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
ECDH secp256r1 FS 3DES
Safari 9 / OS X 10.11 R RSA 2048 (SHA256) TLS 1.2
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH secp256r1 FS 3DES
Safari 10 / iOS 10 R RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
ECDH secp256r1 FS 3DES
Safari 10 / OS X 10.12 R RSA 2048 (SHA256) TLS 1.2
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH secp256r1 FS 3DES
Apple ATS 9 / iOS 9 R Server sent fatal alert: handshake_failure

Outcomes