Qualys Blog

www.qualys.com
Ivan Ristic

SSL Labs Now Showing Multiple Certificate Chains

When we designed the SSL Labs report originally, we allowed room for only one certificate per server. Even though it was technically possible to support multiple certificates for a single host, only a small number of web servers supported it and nobody was actually doing it. Why would they… RSA worked well and cryptography wasn’t as important as it is today.

But, over the years, people started deploying RSA and ECDSA certificates in parallel. These days, many web servers support this option and it’s not at all uncommon to find such web sites. Now, SSL Labs has always been collecting all observed certificates, but they were not shown in the report. When we started to work on the v3 API, we made changes to expose all the certificates. Now, finally (as of 1.25.2), they appear in the main report as well.

To accommodate the additional certificates we made to make some changes to the page design. SSL Labs report was very long even before this change and adding more certificates would mean much more data. So, in an attempt to show less, we’ve taken a decision to hide certificate trust paths by default. We think this is information that most people won’t look for anyway, and those who do can still find it.

This change marks another milestone; for the first time, SSL Labs requires JavaScript for its full functionality. I know, it’s not really relevant, but still. For a really long time I liked the idea of providing a useful service without having to use any “bells and whistles”. But we move on!

3 responses to “SSL Labs Now Showing Multiple Certificate Chains”

  1. Just a suggestion, but you could perhaps mitigate the Javascript requirement by adding a link for no-JS browsers to expand all certificate reports all at once.

  2. At least you show the “collapsed” content when JavaScript is disabled. So, as far as I’m concerned, it is still fully functional without JavaScript. However, it would be nice if you only displayed the JavaScript controls when JavaScript is enabled.

  3. Just another suggestion, although a little off topic:
    Consider getting an EV certificate for the SSL Labs site, to make the data being viewed from the tests a bit more verifiable. The alternative SSL testing site High-Tech Bridge has a green bar certificate.
    On Firefox and Chrome, a green bar identifying the site’s organization means that the connection has not been tampered with by any sort of SSL inspection proxy, as those browsers do not allow user-defined roots to sign EV certificates or their CA chains.

Leave a Reply