Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authority Information Access certificate extension (AIA) support #2793

captn3m0 opened this issue Jul 25, 2018 · 1 comment

Authority Information Access certificate extension (AIA) support #2793

captn3m0 opened this issue Jul 25, 2018 · 1 comment


Copy link

note: This is a copy of an old feature request from the old bug tracker:

Please consider adding support for Authority Information Access certificate extension (AIA).

AIA can provide various things like CRLs but more importantly information about intermediate CA certificates that can allow validation path to be fullfilled.

Example site that uses certificate with AIA extension:

    $ curl --version
    curl 7.39.0 (x86_64-pld-linux-gnu) libcurl/7.39.0 OpenSSL/1.0.1j zlib/1.2.8 c->ares/1.10.0 libidn/1.29 libssh2/1.4.3 librtmp/2.3
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp >rtsp scp sftp smtp smtps telnet tftp
    Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP >Metalink
    $ curl --cacert /etc/certs/ca-certificates.crt
    curl: (60) SSL certificate problem: unable to get local issuer certificate

If you try the same URL with firefox or google chrome then certificate will be validated fine. That's because these browsers look into AIA and fetch intermediate certificate found there:

    $ openssl s_client -host -port 443 2>&1 | openssl x509 -in >/dev/stdin -text | grep -A3 "Authority Informa"
    Authority Information Access:
    CA Issuers - >URI:
    OCSP - URI:

curl could do similar thing to firefox/google-chrome and fetch that intermediate gsdomainvalsha2g2r1.crt cert thus allowing validation to pass.

/cc @arekm since he filed the original issue.

Copy link

bagder commented Jul 25, 2018

This is a tracker for bugs. not feature-requests. This issue will thus subsequently be closed. Good features to add could be added to the TODO document.

I believe Firefox doesn't support AIA, but it caches intermediate certs which is a primary reason why some HTTPS sites work with Firefox and not curl. I believe Chrome supports it.

@bagder bagder closed this as completed in 1fb8048 Jul 28, 2018
falconindy pushed a commit to falconindy/curl that referenced this issue Sep 10, 2018
@lock lock bot locked as resolved and limited conversation to collaborators Oct 26, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

No branches or pull requests

2 participants