[openssl-users] Intermediate certificates
Kurt Roeckx
kurt at roeckx.be
Tue Jan 27 22:14:20 UTC 2015
On Tue, Jan 27, 2015 at 11:42:51PM +0300, Serj wrote:
>
> > It is unfortunate that browsers "lend a helping hand" to such sites.
> So, you want to say that browsers trust connections that don't provide intermediate certs during SSL handhake?
> As I know most browsers have also intermediate certs in their stores as builtin objects and also as received during handshakes.
> That's why any documentation how to set intermediate certificates for my SSL connections will be very needed.
What browsers do is cache the intermediate certificates. If a
sites fails to send them, the browser can still find it in it's
cache and use those cached intermediate certificates to do the
validation.
If the missing intermediate certificate is not cached the site
will not work in the browser. But if you then visit a site that
has the same intermediate certificate that does send it, and then
go back to the broken site it will suddenly work.
Browsers have too many work arounds for broken sites which results
in those sites not actually getting fixed.
Kurt
More information about the openssl-users
mailing list