[TriLUG] iPad SSL site oddity

Matt Flyer via TriLUG trilug at trilug.org
Tue May 9 10:17:03 EDT 2017 

Over the last couple of weeks, I have been in the process of moving my
home based server that I use for mail and other functions to a hosted
system with the ultimate goal of giving the very expen$$$ive TWC-BC the
cold boot.  In the process, I created the SSL site using Let's Encrypt
that I use for Roundcube (webmail) and all seemed to work just fine
with most browsers as in I would get the green lock and it would say
that it was a secured and verified  connection.  Qualys SSL analysis
would give the site an A rating, at least once I had all three of the  
SSLCertificateFile, SSLCertificateKeyFile, and the
SSLCertificateChainFile 

What I ran into is that my newer iPad would REFUSE to connect to the
roundcube site on my domain complaining that "safari could not
establish a secure connection to the server".  What's even more odd is
that my older iPad would.  Where it gets even more odd is that I have a
subdomain for the Subsonic music player configured as subsonic.mydomain
 (I use a reverse proxy to bridge the SSL port on 443 and the non
privileged user port behind the firewall) and that WOULD connect but
the parent domain would not. Of course Fruit goes M$ to the extreme in
that it doesn't even say contact the administrator for help - you get
just nothing as far as any sort of clue as to the problem.  

I was trying absolutely everything I could think of, including undoing
the changes to ensure only strong ciphers were being used, resetting
all the network parameters in the ipad, etc.  Finally I stumbled onto
the problem and this is where I am a bit puzzled.  The short answer is
that in the Apache host configuration I had 
<VirtualHost domain_ip_adddress:443> and what it wanted was
<VirtualHost DomainName:443>, in essence I believe using TLS SNI (?)
which is what I had in the subsonic domain as it shares the same IP
address.  

>From my recollection of the old days, SSL was established by IP
address, not name, and the SNI is a newer variant that became popular
as people started hosting more than one secured domain on a site.
 However, what I don't get is why Safari would REFUSE to connect to the
site when it was defined by IP address.  

I am curious if anyone can shed some light on this?

More information about the TriLUG mailing list