« Announcing SSL Labs grading changes for 2017 | Main | Per-protocol cipher suite detection in SSL Labs »

SSL Labs now showing multiple certificate chains

November 22, 2016

When we designed the SSL Labs report originally, we allowed room for only one certificate per server. Even though it was technically possible to support multiple certificates for a single host, only a small number of web servers supported it and nobody was actually doing it. Why would they… RSA worked well and cryptography wasn’t as important as it is today.

But, over the years, people started deploying RSA and ECDSA certificates in parallel. These days, many web servers support this option and it’s not at all uncommon to find such web sites. Now, SSL Labs has always been collecting all observed certificates, but they were not shown in the report. When we started to work on the v3 API, we made changes to expose all the certificates. Now, finally (as of 1.25.2), they appear in the main report as well.

To accommodate the additional certificates we made to make some changes to the page design. SSL Labs report was very long even before this change and adding more certificates would mean much more data. So, in an attempt to show less, we’ve taken a decision to hide certificate trust paths by default. We think this is information that most people won’t look for anyway, and those who do can still find it.

This change marks another milestone; for the first time, SSL Labs requires JavaScript for its full functionality. I know, it’s not really relevant, but still. For a really long time I liked the idea of providing a useful service without having to use any “bells and whistles”. But we move on!

MY BOOK: If you like this blog post, you will love Bulletproof SSL and TLS. For system administrators, developers, and IT security professionals, this book provides a comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI and will teach you everything you need to know to protect your systems from eavesdropping and impersonation attacks. It's available now.