WelcomeUser Guide
ToSPrivacyCanary
DonateBugsLicense

©2025 Poal.co

(post is archived)

You are currently inside a comment thread.
Click here to see all the comments (43).
[–] 0 pt

If both domains are causing problems, the problem might be on your browser's side.

[–] 0 pt (edited )

both failing url domains are the same same domain, pic8.co

catbox.moe works fine

If pic8.co does THREE HTTPS REDIRECT HOPS is will fail in all apple products, as a overly strict infinite loop check by apple.

I did not trace how many web hops pic8 is doing but I see at least one with my eyes

the ONLY single difference I see if that pic8 uses new "Curve X25519" and the world outside google products still uses and promotes ECDH P-384 curve

http://blog.nashcom.de/nashcomblog.nsf/dx/domino-12-beta-1-https-review-ratings.htm

the commands i used to study chain : 


openssl s_client -showcerts -connect pic8.co:443

vs

openssl s_client -showcerts -connect catbox.moe:443

both results almost identical technologies but one (pic8.co) is using "Curve X25519" vs ...

Server Temp Key: ECDH, P-384, 384 bits
[–] 0 pt

pic8 does only one redirect once it selected the best host (based on availability and speed)

Check out https://pic8.co/about to understand how it works.

[–] 0 pt

Apple Safari on IPhone 6 Plus running iOS 8.4 FAILS to connect using HTTPS SSL to pic8.co but WORKS with catbox.moe. pic8.co also fails on other Apple machines. Its use of X25519 might be the problem with pic8.co on older browsers.

[–] 0 pt (edited )

fails even with zero hops to naked url of

https://pic8.co

EDIT : Apple Safari on IPhone 6 Plus running iOS 8.4 FAILS to connect using HTTPS SSL to pic8.co but WORKS with catbox.moe. pic8.co also fails on other Apple machines. Its use of X25519 might be the problem with pic8.co on older browsers.

Apple does not like servers FORCED in web server code to only serve X25519 on port 443, and older Apple browsers prefer using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384 (BOTH secp521r1:secp384r1 should be allowed)

suite B :

https://tools.ietf.org/html/rfc6460

Apple is being pedantic and strict and is trying to comply with Suite B. Suite B restricts the curves to P-256 and P-384

TL/DR : pic8.co is broken for widespread HTTPS, and catbox.moe web server is not broken, even though they both have the same exact identical types of SSL certs. Its a web server fuckup at pic8.co, and can be fixed with one line of change on pic8 server to set "ssl_ecdh_curve' to secp521r1:secp384r1.