Qualys SSL Server Test: An issue which is not – “Chain issue: Contains anchor”


What if the most popular SSL Server Test (from Qualys) reports that your site has and “Chain issue: Contains anchor”?

ssllabs-chain-issue-contains-anchor

Orange colored “Chain issues” on SSL testing site? That has to be important. Too bad there’s no information dialog… So just go and read one of many SSL/TLS RFC’s to find out that:

…the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it…

Ok, how about MAY?

MAY   This word, or the adjective “OPTIONAL”, mean that an item is truly optional…

So again, the number 1 SSL testing site keeps reporting “Chain issues” that have very little to do with security and the only real life impact is an additional 1 kB of data send to clients during SSL handshake. Which is just neutral in the specifications.

How is this not false positive? Especially when sites like these are used especially by people that don’t know much about SSL and its specifications.

Leave a comment