I have put together a little github java project to help us explore the logout problem. We can use this to file bug reports to the browser vendors. This is just a first attempt to explore the space with a minimal jetty browser. The README explains how it works.
What I have found so far could be useful:
- Chromium and Safari on OSX can be gotten to ask for a new certificate
- Firefox and Opera cannot. Even if the server tells them the certificate is broken (I think that is what is being done by throwing the exception) those browser send the same certificate. That is clearly an error, as even normal clients may choose by mistake an invalid certificate.
But perhaps there are other tools we should be using. Any ideas? Looking for SSL Experts to help out here :-)