Safari not displaying identity picker on iOS 18.3.x

I am posting here because we have an urgent issue affecting the operation of our service and are in need of a solution after our own analysis has come up with few answers.

Beginning in iOS 18.2.x, we experienced exactly the same issue as the author of this thread, as we are also operating a service that allows for device certificate login for users configured to require one: https://developer.apple.com/forums/thread/767374

The author seems to have resolved the issue but the fix mentioned in the thread did not resolve our problem for iOS devices with iOS 18.2.x installed and the contents of that private support ticket are, of course, not visible to us. Furthermore, we have a different issue that surfaced with the release of iOS 18.3.x.

Namely, the issue in iOS 18.3.x is more severe than the one in iOS 18.2.x, in that instead of simply taking a long time for the certificate/identity selection dialog to appear, it simply fails immediately and is returning a “no certificate selected” response to our server.

One thing to note here is that, curiously, if we wait for several seconds (about 10-15 seconds) this behavior is not replicated. So, it seems there is potentially something going in the background, and the certificate selection process will only occur successfully like before if we wait. This is a very unideal workaround.

After entering user credentials, we have the user navigate to a dedicated certificate authentication page. On the BIG IP side, upon users visiting this page, we have it configured to apply an SSL profile that contains appropriate CAs for the given user, and then requests to the browser that a new connection requiring a certificate be made.

We are investigating this by checking logs in in a variety of places:

  1. We can verify in BigIP logs that a response is being returned to the server without a certificate included. For the sake of our application, this is handled as a “user did not select a certificate” event, and thus the attempted login is failed. Using the MacOS “Console” application, we are able to see the following logs from the “trustd” process of the target iOS 18.3.x device:

Failure case:

debug    11:19:49.648581+0900    trustd    XPC [com.apple.WebKit[1034]/1#25 LF=0] operation: trust_evaluate (8)

debug    11:19:49.648766+0900    trustd    complex trust settings anchor

Successful case (after waiting 10-15 seconds after initial login page load/before moving to certificate page):

debug   11:26:02.803153+0900    trustd  XPC [MobileSafari[1031]/1#169 LF=0] operation: trust_evaluate (8)
debug   11:26:02.804219+0900    trustd  non ev score: 121 <private>

There appears to be no attempt by MobileSafari to initiate the display of a certificate selection window in the failure cases. The iOS device is swift to return a response with no certificate selected to Big IP, and the result of “no certificate selected” is thus propagated through Big IP and ultimately to our web service.

Does anyone have any advice or information on the following?

  • Recommended tools to gather more data that may be pertinent.
  • Any ideas on changes in iOS 18.2.x+ that could have resulted in the behavior changing as described above?

If more information is necessary, I will do my best to supply it. Thank you in advance!

Thanks for the post. Sorry for the delay. It seems like that could be an issue. Can you please file a bug? Even if the other developer always file the bug, would be useful for you to be able to track the issue.

Once you open the bug report, please post the FB number here for my reference.

If you have any questions about filing a bug report, take a look at Bug Reporting: How and Why?

Albert Pascual
  Worldwide Developer Relations.

Safari not displaying identity picker on iOS 18.3.x
 
 
Q