This question is best asked visually, but the verbiage is: is it possible (within the scope, and confines of, modern browser/server technology), to verify that a "secure" SSL/TLS connection established to my own server is done so using a known ("correct"/"secure") trust chain, on the client's side?
I.e.:
How can I accept this (assuming I am github.com):
While (politely?) declining this: 
Or, in other words, Verifing the TLS Certificate Chain ~~With Openssl~~, but in-band, without access to the openssl executable, or anything besides the connection itself)?