(Posting without links...I think that the links are causing me to get blocked)
In doing a quick scan of the traffic that the device generates during SCEP registration, it appears that the “+” and “/“ characters are no longer being %-encoded in iOS 11. In iOS 10 and earlier, they were %-encoded
This actually appears to be a bug in iOS 11…according to the specification for SCEP, the last paragraph of section 4.1 reads:
When using GET messages to communicate binary data, base64 encoding
as specified in [2] MUST be used. The base64 encoded data is
distinct from "base64url" and may contain URI reserved characters,
thus it MUST be escaped as specified in [8] in addition to being
base64 encoded. Finally, the encoded data is inserted into the
MESSAGE portion of the HTTP GET request.
The reference "[8]” is RFC 2396 - and in section 3.4, it reads:
Within a query component, the characters ";", "/", "?", ":", "@",
"&", "=", "+", ",", and "$" are reserved.
This seems to indicate to me that Apple has actually broken something in iOS 11. I validated this by setting up a proxy that will replace all “+” and “/“ characters in the message parameter with the appropriately-encoded values. Doing this *did* work, and I was able to register the profile.