Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate validation fails when using AIA #130

Closed
tomtom5152 opened this issue Dec 2, 2019 · 0 comments · Fixed by #131
Closed

Certificate validation fails when using AIA #130

tomtom5152 opened this issue Dec 2, 2019 · 0 comments · Fixed by #131
Labels
bug

Comments

@tomtom5152
Copy link
Contributor

Describe the bug

Some HTTPS servers fail validation due to incomplete chains.

To Reproduce

Steps to reproduce the behaviour:

  1. Include a link to a site which does not send the full chain such as incomplete-chain.badssl.com
  2. Run htmltest
  3. Receive failures related to bad SSL

Expected behaviour

AIA servers generate a warning rather than an error given it will work on most browsers.

Actual behaviour

AIA servers fail TLS validation.

Versions

  • OS: OS X 10.14.6
  • htmltest: 0.10.3

Additional context

RFC3280 (AIA) allows HTTPS servers to not send the full certificate chain when serving clients, instead it is up to the client to fetch any intermediary certificates from the include URL. Testing with Safari and Chrome shows that they do this automatically, Firefox does not, likely due to the underlying use of openssl which leaves this to the application implementation for security. The Go x509 library does appear to have some level of support for AIA.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add the ability for html test to accept servers using AIA. tomtom5152/htmltest
1 participant
@tomtom5152