Problem with GlobalSign certificates in oss-fuzz docker base image

[matclab]

Hello,

According to this build log, curl is unable to verify the certificate chain issued by GlobalSign for embedtls.
The command : curl https://tls.mbed.org/download/mbedtls-2.16.0-apache.tgz says:

curl: (60) SSL certificate problem: unable to get local issuer certificate

I've got the same problem on several linux distribution (arch linux, ubuntu, debian…)

curl -v -k locally shows :

…
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=GB; ST=Cambridgeshire; L=Cambridge; O=Arm Ltd; CN=tls.mbed.org
*  start date: Feb 25 14:42:02 2020 GMT
*  expire date: May 13 15:41:05 2021 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
*  SSL certificate verify result: unable to get local issuer certificate (20)
…

[alex]

That's because tls.mbed.org is misconfigured. It's only serving the end-entity certificate, not the intermediate, as is required to verify a certificate chain properly.

If you're seeing tls.mbed.org load ok in Chrome, that's because Chrome performs AIA (Authority Information Access) chasing, where it attempts to go find missing intermediates. curl (and basically no other non-browser HTTP clients) perform AIA chasing, so they require servers to be properly configured:

https://www.ssllabs.com/ssltest/analyze.html?d=tls.mbed.org&latest

[matclab]

Thanks for the analysis.
I'll open an issue on their side and will report here.