On Tue, Jan 27, 2015 at 11:42:51PM +0300, Serj wrote: > > > It is unfortunate that browsers "lend a helping hand" to such sites. > So, you want to say that browsers trust connections that don't provide > intermediate certs during SSL handhake? > As I know most browsers have also intermediate certs in their stores as > builtin objects and also as received during handshakes. > That's why any documentation how to set intermediate certificates for my SSL > connections will be very needed.
What browsers do is cache the intermediate certificates. If a sites fails to send them, the browser can still find it in it's cache and use those cached intermediate certificates to do the validation. If the missing intermediate certificate is not cached the site will not work in the browser. But if you then visit a site that has the same intermediate certificate that does send it, and then go back to the broken site it will suddenly work. Browsers have too many work arounds for broken sites which results in those sites not actually getting fixed. Kurt _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
