Safari added many identity references into Keychain for same domain and certificate

Originator:aefimov.box
Number:rdar://FB9423370 Date Originated:29/07/2021
Status:Open Resolved:
Product:Safari Product Version:14.1.2 (16611.3.10.1.3)
Classification:Protocol/TLS Reproducible:Often/Always
 
If you have some site or domain, that required client certificate, then Safari will created Idetity References in Keychain in follow format:
Name: "https://sample.apple.com (com.apple.Safari)"
Where: "https://sample.apple.com (com.apple.Safari)"

But if someone send you a link to this service:  https://sample.apple.com/foo/bar/page/link?some=param and you opened that link, then Safari may ask about certificate or may not and use existing one "https://sample.apple.com (com.apple.Safari)". If it ask again, then Safari will add into Keychain second one Identity Reference:
Name: "https://sample.apple.com/foo/bar/page/link?some=param (com.apple.Safari)"
Where: "https://sample.apple.com/foo/bar/page/link?some=param (com.apple.Safari)"

You can repeat this for different URLs on this domain, and as result you will get many many Identity References inside your Keychain. It starts messed up and as result your Safari may start refuse SSL connection at all. You will not able to login into site.

For always reproduce try start with empty Keychain but from not root of site. Just go on some page inside this site: https://sample.apple.com/foo/bar/page/link?some=param. In this case Safari will ask you about certificate any time when you will visit site and end up with total mess in Keychain with unable to establish SSL connection at all.

Comments

NGO QUANG THONG

By quangthongngo1981 at June 22, 2024, 5:45 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!