How long before a browser will automatically reset the SSL cache?

Question

We run an e-commerce site. Last week we renewed our SSL certificate and our web hosting provider inexplicably put the wrong web address on the new certificate.

So when we visited the site - browsers were giving us security errors, (and presumably to any customers during that time).

Once the SSL was fixed, we were able to access the site by either clearing the browser cache or using a different browser.

My question is: Will browsers automatically reset the cache after a period of time for our customers?

My concern is, unless customers manually clear their browser cache they will continue to think our site is unsafe.

Answer 1

There is no such thing as a SSL cache for failed attempts. If the browser connects first to a site with HTTPS it will get the certificate and validate it. If the validation was successful the browser might cache the current TLS session for reconnects - but only if the server sends a session id or session ticket for the TLS session. If the validation and thus the connection fails the browser caches nothing. And even if the browser tries to resume a TLS session later it depends on the server if this resumption is accepted at all - otherwise again a full handshake is done which involves getting and validating the certificate.

While you don't describe it this way I rather suspect that there was a wrong HTTP redirect, i.e. something like redirecting from http://example.com to https://wrong.example.org instead to https://www.example.com. Given the problems you describe this was likely a 301 "permanent" redirect which means that the browser can cache this redirect forever. See How long do browsers cache HTTP 301s? for more on this.