You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some HTTPS servers fail validation due to incomplete chains.
To Reproduce
Steps to reproduce the behaviour:
Include a link to a site which does not send the full chain such as incomplete-chain.badssl.com
Run htmltest
Receive failures related to bad SSL
Expected behaviour
AIA servers generate a warning rather than an error given it will work on most browsers.
Actual behaviour
AIA servers fail TLS validation.
Versions
OS: OS X 10.14.6
htmltest: 0.10.3
Additional context
RFC3280 (AIA) allows HTTPS servers to not send the full certificate chain when serving clients, instead it is up to the client to fetch any intermediary certificates from the include URL. Testing with Safari and Chrome shows that they do this automatically, Firefox does not, likely due to the underlying use of openssl which leaves this to the application implementation for security. The Go x509 library does appear to have some level of support for AIA.
The text was updated successfully, but these errors were encountered:
Describe the bug
Some HTTPS servers fail validation due to incomplete chains.
To Reproduce
Steps to reproduce the behaviour:
htmltest
Expected behaviour
AIA servers generate a warning rather than an error given it will work on most browsers.
Actual behaviour
AIA servers fail TLS validation.
Versions
Additional context
RFC3280 (AIA) allows HTTPS servers to not send the full certificate chain when serving clients, instead it is up to the client to fetch any intermediary certificates from the include URL. Testing with Safari and Chrome shows that they do this automatically, Firefox does not, likely due to the underlying use of openssl which leaves this to the application implementation for security. The Go x509 library does appear to have some level of support for AIA.
The text was updated successfully, but these errors were encountered: