When accessing a site that requires a client certificate, Safari 15.0/15.1 keeps asking for the certificate over and over again and creates an entry for each URL to Keychain. The previous Safari versions cached the certificate and asked the vertificate only once when you had https://server.domain.com/ identity preference in the Keychain. The continuous asking for the certificate and the numerous entries in Keychain makes Safari 15.0/15.1 unusable for sites that require a client certificate. How to produce the behavior: - Set up a web server that requires client certificate. Apache config: SSLEngine on SSLVerifyClient require SSLVerifyDepth 1 SSLCertificateFile /etc/ssl/private/internal_server.crt SSLCertificateKeyFile /etc/ssl/private/internal_server.key SSLCACertificateFile /etc/ssl/private/internal_ca.crt SSLCertificateChainFile /etc/ssl/private/internal_ca.crt - Access different URL's in the server
<rdar://problem/85161182>
Are you seeing this issue on iOS or macOS or both? Are the URLs all from https://server.domain.com/something or are there other hosts involved?
This happens just on macOS. iOS devices work as expected. No change on the server. The issue came up when Safari was updated to 15.0. Safari 15.1 has the same issue.
Tested with multiple servers and multiple macOS machines. Safari 14.1.2 works as expected, but when you run the updater to get 15.0 (or 15.1), the Safari keeps asking for the for the certificate.
<rdar://83736480>
Created attachment 448508 [details] Patch
I'm unable to reproduce this issue with the description provided. Perhaps there is something special about your certificate or keychain setup that was not described. Perhaps there's something special about your website. Any additional details would be much appreciated, ideally with a site and cert that reproduce the issue reliably.
A live setup to showcase the problem ==================================== 1. Download the client certificate from https://mydbr.com/fileserve.php?get=safariuser.p12 2. Install it into your login keychain and trust the certificate 3. Access https://safaritest.mydbr.com and log into the application 4. Access the reports (browse through different URLs) in the application. Safari will pop up the question about the client certificate every now and then 5. Notice Safari populating certificate preferences into the keychain with entries for each URL. This used not to be the case when you had one ending with a slash in earlier versions of Safari (https://safaritest.mydbr.com/). How to create the setup ======================= Server running Apache 2.4.29. (Ubuntu in this case) Safari Version 15.2 (16612.3.6.1.8, 16612) Create self-signed certificate and a client certificate: Certificate Authority (CA) -------------------------- openssl genrsa -out safaritest_ca.key 2048 openssl req -new -sha256 -key safaritest_ca.key -out safaritest_ca.csr openssl x509 -req -days 365 -sha256 -in safaritest_ca.csr -signkey safaritest_ca.key -out safaritest_ca.crt Web Server Certificate ---------------------- openssl genrsa -out safaritest_server.key 2048 openssl req -new -sha256 -key safaritest_server.key -out safaritest_server.csr openssl x509 -req -days 365 -sha256 -in safaritest_server.csr -signkey safaritest_server.key -out safaritest_server.crt Create a Client Certificate --------------------------- openssl req -newkey rsa:2048 -days 365 -nodes -keyout safariuser-key.pem > safariuser-req.pem openssl x509 -req -in safariuser-req.pem -days 365 -CA safaritest_ca.crt -CAkey safaritest_ca.key -set_serial 01 > safariuser-cert1.pem openssl pkcs12 -export -in safariuser-cert1.pem -inkey safariuser-key.pem -out safariuser.p12 The Apache config for the site ------------------------------ <VirtualHost *:443> ServerName safaritest.mydbr.com ServerAdmin support@mydbr.com SSLEngine on SSLVerifyClient require SSLVerifyDepth 1 SSLCertificateFile /etc/ssl/private/safaritest_server.crt SSLCertificateKeyFile /etc/ssl/private/safaritest_server.key SSLCACertificateFile /etc/ssl/private/safaritest_ca.crt DocumentRoot /var/www/safaritest <Directory /> Options FollowSymLinks AllowOverride All </Directory> <Directory /var/www/internal> Options Indexes FollowSymLinks MultiViews AllowOverride All Require all granted </Directory> ErrorLog /var/log/apache2/safaritest_error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/safaritest_access.log combined <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> </VirtualHost> The problem looks like to be related (just a guess) to the fact that Safari seems to forget the certificate and asks it again at random times. This happens when you access different URLs in the site.
(In reply to Seppo Laaksonen from comment #8) > A live setup to showcase the problem > ==================================== > 1. Download the client certificate from > https://mydbr.com/fileserve.php?get=safariuser.p12 > 2. Install it into your login keychain and trust the certificate > 3. Access https://safaritest.mydbr.com and log into the application > 4. Access the reports (browse through different URLs) in the application. > Safari will pop up the question about the client certificate every now and > then > 5. Notice Safari populating certificate preferences into the keychain with > entries for each URL. This used not to be the case when you had one ending > with a slash in earlier versions of Safari (https://safaritest.mydbr.com/). > > > How to create the setup > ======================= > Server running Apache 2.4.29. (Ubuntu in this case) > > Safari Version 15.2 (16612.3.6.1.8, 16612) > > Create self-signed certificate and a client certificate: > > Certificate Authority (CA) > -------------------------- > openssl genrsa -out safaritest_ca.key 2048 > openssl req -new -sha256 -key safaritest_ca.key -out safaritest_ca.csr > openssl x509 -req -days 365 -sha256 -in safaritest_ca.csr -signkey > safaritest_ca.key -out safaritest_ca.crt > > > Web Server Certificate > ---------------------- > openssl genrsa -out safaritest_server.key 2048 > openssl req -new -sha256 -key safaritest_server.key -out > safaritest_server.csr > openssl x509 -req -days 365 -sha256 -in safaritest_server.csr -signkey > safaritest_server.key -out safaritest_server.crt > > Create a Client Certificate > --------------------------- > openssl req -newkey rsa:2048 -days 365 -nodes -keyout safariuser-key.pem > > safariuser-req.pem > openssl x509 -req -in safariuser-req.pem -days 365 -CA safaritest_ca.crt > -CAkey safaritest_ca.key -set_serial 01 > safariuser-cert1.pem > openssl pkcs12 -export -in safariuser-cert1.pem -inkey safariuser-key.pem > -out safariuser.p12 > > > The Apache config for the site > ------------------------------ > > <VirtualHost *:443> > ServerName safaritest.mydbr.com > ServerAdmin support@mydbr.com > > SSLEngine on > SSLVerifyClient require > SSLVerifyDepth 1 > > SSLCertificateFile /etc/ssl/private/safaritest_server.crt > SSLCertificateKeyFile /etc/ssl/private/safaritest_server.key > SSLCACertificateFile /etc/ssl/private/safaritest_ca.crt > > DocumentRoot /var/www/safaritest > <Directory /> > Options FollowSymLinks > AllowOverride All > </Directory> > <Directory /var/www/internal> > Options Indexes FollowSymLinks MultiViews > AllowOverride All > Require all granted > </Directory> > > ErrorLog /var/log/apache2/safaritest_error.log > > # Possible values include: debug, info, notice, warn, error, crit, > # alert, emerg. > LogLevel warn > > CustomLog /var/log/apache2/safaritest_access.log combined > > <FilesMatch "\.(cgi|shtml|phtml|php)$"> > SSLOptions +StdEnvVars > </FilesMatch> > </VirtualHost> > > > The problem looks like to be related (just a guess) to the fact that Safari > seems to forget the certificate and asks it again at random times. This > happens when you access different URLs in the site. It asks for a password when I try to install the certificate at https://mydbr.com/fileserve.php?get=safariuser.p12 I do know know what the password is.
It might be the same as Bug 234314 which I fixed recently (hasn't shipped yet) but I haven't been able to confirm since I haven't been able to reproduce yet.
Ah, sorry about that. The password is 'pass'.
(In reply to Seppo Laaksonen from comment #11) > Ah, sorry about that. The password is 'pass'. It looks like I can now reproduce with my System Safari. I am investigating. Thanks for the test server.
(In reply to Chris Dumez from comment #12) > (In reply to Seppo Laaksonen from comment #11) > > Ah, sorry about that. The password is 'pass'. > > It looks like I can now reproduce with my System Safari. I am investigating. > Thanks for the test server. I can still reproduce with a local WebKit trunk build so this is definitely not fixed yet.
This is a Safari bug and the issue was fixed on the Safari side. Thank you for the bug report and the reproduction case.