« SSL Server Survey: what data are we collecting? | Main | Internet SSL Survey 2010 is here! »

SSL Labs 1.0.63: Detection and reporting of certificate chain issues

July 13, 2010

The latest revision of the SSL Labs assessment engine (v1.0.63) adds several improvements in the area of certificate chains:

  • The engine will now try to download missing intermediate certificates. Although sites are supposed to configure complete certificate chains, many forget to do that, and their sites fail to work properly as a result.
  • Chain size and length are reported in the user interface, which makes it easy to spot ridiculously long chains.
  • Incomplete chain certificates are reported. This is the case where the engine was able to locate missing intermediate certificates elsewhere and establish trust.
  • Certificate chains that are too long are reported. It turns out that quite a few sites have chains that are longer than necessary. Such setups not only waste bandwidth, they make the overall site performance worse too.
  • Incorrectly ordered chains are reported too. Although most browsers will deal with this problem, some SSL clients are sensitive to the issue.