I am posting here because we have an urgent issue affecting the operation of our service and are in need of a solution after our own analysis has come up with few answers.
Beginning in iOS 18.2.x, we experienced exactly the same issue as the author of this thread, as we are also operating a service that allows for device certificate login for users configured to require one: https://developer.apple.com/forums/thread/767374
The author seems to have resolved the issue but the fix mentioned in the thread did not resolve our problem for iOS devices with iOS 18.2.x installed and the contents of that private support ticket are, of course, not visible to us. Furthermore, we have a different issue that surfaced with the release of iOS 18.3.x.
Namely, the issue in iOS 18.3.x is more severe than the one in iOS 18.2.x, in that instead of simply taking a long time for the certificate/identity selection dialog to appear, it simply fails immediately and is returning a “no certificate selected” response to our server.
One thing to note here is that, curiously, if we wait for several seconds (about 10-15 seconds) this behavior is not replicated. So, it seems there is potentially something going in the background, and the certificate selection process will only occur successfully like before if we wait. This is a very unideal workaround.
After entering user credentials, we have the user navigate to a dedicated certificate authentication page. On the BIG IP side, upon users visiting this page, we have it configured to apply an SSL profile that contains appropriate CAs for the given user, and then requests to the browser that a new connection requiring a certificate be made.
We are investigating this by checking logs in in a variety of places:
- We can verify in BigIP logs that a response is being returned to the server without a certificate included. For the sake of our application, this is handled as a “user did not select a certificate” event, and thus the attempted login is failed. Using the MacOS “Console” application, we are able to see the following logs from the “trustd” process of the target iOS 18.3.x device:
Failure case:
debug 11:19:49.648581+0900 trustd XPC [com.apple.WebKit[1034]/1#25 LF=0] operation: trust_evaluate (8)
debug 11:19:49.648766+0900 trustd complex trust settings anchor
Successful case (after waiting 10-15 seconds after initial login page load/before moving to certificate page):
debug 11:26:02.803153+0900 trustd XPC [MobileSafari[1031]/1#169 LF=0] operation: trust_evaluate (8)
debug 11:26:02.804219+0900 trustd non ev score: 121 <private>
There appears to be no attempt by MobileSafari to initiate the display of a certificate selection window in the failure cases. The iOS device is swift to return a response with no certificate selected to Big IP, and the result of “no certificate selected” is thus propagated through Big IP and ultimately to our web service.
Does anyone have any advice or information on the following?
- Recommended tools to gather more data that may be pertinent.
- Any ideas on changes in iOS 18.2.x+ that could have resulted in the behavior changing as described above?
If more information is necessary, I will do my best to supply it. Thank you in advance!