> On Aug 31, 2015, at 6:56 PM, Florian Weimer <fwei...@redhat.com> wrote: > > On 08/31/2015 05:54 PM, Martin Thomson wrote: >> On 31 August 2015 at 05:02, Florian Weimer <fwei...@redhat.com> wrote: >>> MUST NOT automatically complete incomplete chains >> >> Um, no. I realize that this is a feature that is hard for others to >> replicate, but being able to reach sites is important to people. All >> browsers do this, and I don't see any reason to stop. > > The reason to stop is that people only test with long-running, well-used > browser profiles, and it is difficult to explain to them that things > don't work if you just installed a fresh system. I lost countless hours > to that. As in other cases, browsers papering over site configuration > errors causes ecosystem damage.
I feel the pain (I know some administrators who have made this mistake), but it’s always best to test with something like “openssl s_client”. Yoav _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
