![A Classic Tactic used to drop Property Values in nice towns... [1379x900 - 1.08MB]](https://files.catbox.moe/987e8l.jpg){kind=link}
both failing url domains are the same same domain, pic8.co
catbox.moe works fine
If pic8.co does THREE HTTPS REDIRECT HOPS is will fail in all apple products, as a overly strict infinite loop check by apple.
I did not trace how many web hops pic8 is doing but I see at least one with my eyes
the ONLY single difference I see if that pic8 uses new "Curve X25519" and the world outside google products still uses and promotes ECDH P-384 curve
http://blog.nashcom.de/nashcomblog.nsf/dx/domino-12-beta-1-https-review-ratings.htm
the commands i used to study chain :
openssl s_client -showcerts -connect pic8.co:443
vs
openssl s_client -showcerts -connect catbox.moe:443
both results almost identical technologies but one (pic8.co) is using "Curve X25519" vs ...
Server Temp Key: ECDH, P-384, 384 bits
pic8 does only one redirect once it selected the best host (based on availability and speed)
Check out https://pic8.co/about to understand how it works.
Apple Safari on IPhone 6 Plus running iOS 8.4 FAILS to connect using HTTPS SSL to pic8.co but WORKS with catbox.moe. pic8.co also fails on other Apple machines. Its use of X25519 might be the problem with pic8.co on older browsers.
Its use of X25519 might be the problem with pic8.co on older browsers.
It’s the other way around. The issue is the older browsers who don’t support the most recent and secure SSL 1.3.
fails even with zero hops to naked url of
EDIT : Apple Safari on IPhone 6 Plus running iOS 8.4 FAILS to connect using HTTPS SSL to pic8.co but WORKS with catbox.moe. pic8.co also fails on other Apple machines. Its use of X25519 might be the problem with pic8.co on older browsers.
Apple does not like servers FORCED in web server code to only serve X25519 on port 443, and older Apple browsers prefer using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384 (BOTH secp521r1:secp384r1 should be allowed)
suite B :
https://tools.ietf.org/html/rfc6460
Apple is being pedantic and strict and is trying to comply with Suite B. Suite B restricts the curves to P-256 and P-384
TL/DR : pic8.co is broken for widespread HTTPS, and catbox.moe web server is not broken, even though they both have the same exact identical types of SSL certs. Its a web server fuckup at pic8.co, and can be fixed with one line of change on pic8 server to set "ssl_ecdh_curve' to secp521r1:secp384r1.
Catbox doesn’t use the same Curve as pic8. It has a lower security level to be compatible with older browsers. Since pic8 doesn’t host the images, it could be set to support different older encryptions.
(post is archived)