Why Zara Supplier Portal Resets Connections on Sequoia
Zara’s (Inditex) supplier and vendor portal is hosted on Amazon Web Services (AWS) with CloudFront as the CDN layer. The portal uses TLS 1.3 with ECH for all authenticated sessions. When suppliers access the portal from macOS Safari on networks with SSL inspection (common in Spain, Portugal, and Latin America), the ISP gateway resets the ECH-enabled ClientHello, causing the TLS handshake to fail.
AWS CloudFront’s TLS configuration does not support TLS 1.2 fallback for authenticated sessions, meaning that when the ECH-enabled handshake fails, there is no fallback path and the connection terminates immediately.
Browser Integrity Sync on AWS CloudFront Infrastructure
Zara’s supplier portal uses browser integrity sync across AWS CloudFront’s global edge network. When the TLS handshake is interrupted, the integrity sync fails, and AWS’s security layer blocks the supplier’s access, requiring re-authentication with a complete TLS handshake.
Fixing Zara Supplier Portal Connection Resets
Using Chrome with ECH Flags
Download Chrome → modify the shortcut target to include --disable-ECH. Launch Chrome with this flag and access Zara Supplier Portal. The flag forces Chrome to signal TLS 1.2 preference to CloudFront, potentially triggering a TLS 1.2 fallback.
Switching DNS to Cloudflare’s Resolver
Navigate to System Settings → Network → Wi-Fi → Details → DNS. Set DNS servers to 1.1.1.1 and 1.0.0.1. Cloudflare DNS returns the optimal CloudFront edge node IP for Zara’s CDN, potentially routing the connection to a node with a clearer path from the supplier’s location.
Disabling SSL Inspection for Zara Domains
Configure your network proxy to bypass Zara domains. In macOS, navigate to System Settings → Network → Wi-Fi → Details → Proxy. Add *.zara.com, *.supplier.zara.com to the bypass list.
Call to Action
Use the webs.ninja network lab to run a TLS handshake diagnostic for Zara’s supplier portal. The diagnostic identifies whether the reset is caused by your ISP’s gateway, a CloudFront edge node failure, or Zara’s AWS infrastructure, directing the fix to the correct layer.