New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authority Information Access certificate extension (AIA) support #2793

Closed
captn3m0 opened this Issue Jul 25, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@captn3m0

captn3m0 commented Jul 25, 2018

note: This is a copy of an old feature request from the old bug tracker: https://sourceforge.net/p/curl/feature-requests/83/

Please consider adding support for Authority Information Access certificate extension (AIA).

AIA can provide various things like CRLs but more importantly information about intermediate CA certificates that can allow validation path to be fullfilled.

Example site that uses certificate with AIA extension:

    $ curl --version
    curl 7.39.0 (x86_64-pld-linux-gnu) libcurl/7.39.0 OpenSSL/1.0.1j zlib/1.2.8 c->ares/1.10.0 libidn/1.29 libssh2/1.4.3 librtmp/2.3
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp >rtsp scp sftp smtp smtps telnet tftp
    Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP >Metalink
    $ curl --cacert /etc/certs/ca-certificates.crt https://ftp.ruby-lang.org/
    curl: (60) SSL certificate problem: unable to get local issuer certificate

If you try the same URL with firefox or google chrome then certificate will be validated fine. That's because these browsers look into AIA and fetch intermediate certificate found there:

    $ openssl s_client -host ftp.ruby-lang.org -port 443 2>&1 | openssl x509 -in >/dev/stdin -text | grep -A3 "Authority Informa"
    Authority Information Access:
    CA Issuers - >URI:http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt
    OCSP - URI:http://ocsp2.globalsign.com/gsdomainvalsha2g2

curl could do similar thing to firefox/google-chrome and fetch that intermediate gsdomainvalsha2g2r1.crt cert thus allowing validation to pass.

/cc @arekm since he filed the original issue.

@bagder

This comment has been minimized.

Member

bagder commented Jul 25, 2018

This is a tracker for bugs. not feature-requests. This issue will thus subsequently be closed. Good features to add could be added to the TODO document.

I believe Firefox doesn't support AIA, but it caches intermediate certs which is a primary reason why some HTTPS sites work with Firefox and not curl. I believe Chrome supports it.

@bagder bagder closed this in 1fb8048 Jul 28, 2018

@lock lock bot locked as resolved and limited conversation to collaborators Oct 26, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.