April King added the comment: Browsers universally support AIA chasing/fetching, as do a number of underlying OS libraries, such as Secure Transport (macOS) and schannel (Windows).
As a result, it is becoming increasingly common for server operators to fail to include the entire certificate chain in their handshake. By some measures, anywhere from 10 to over 30% of all TLS errors(1) are caused by missing intermediate certificates. There are a handful of ways that scanners and other tools have worked around this issue. Some, like SSL Labs, do their own AIA chasing. Others make subprocess to other tools linked to OS libraries which invisibly perform AIA chasing, such as curl on macOS. Others, like Firefox, maintain a cache of intermediate certificates. In any case, all of these solutions are concession to the reality that TLS is really hard and that it is largely impossible to solve this particular misconfiguration issue. I myself write a popular tool(2) that does scanning of sites for missing security configurations. Although it's not explicitly focused on TLS, some of the underlying tests rely on a verified TLS connection. For example, the HTTP Strict Transport Security (HSTS) header can only be set on valid TLS connections. I use requests (which uses httplib underneath), but I'm unable to tell if a given certificate error is because of either: a) the certificate validation actually failed (for example, due to being expired), or b) there was a missing intermediate certificate and that things would have worked if AIA chasing was available As a result, I have to tell people that their HSTS header can't be set. This is often incorrect, because browsers that do AIA chasing consider the connection perfectly secure for the purposes of HSTS. It would be really nice if Python's httplib could be updated to do transparent AIA chasing, with the optional ability to turn it off. In an ideal world, the underlying TLS libraries (such as OpenSSL) would do this for us, but unfortunately as things stand now OpenSSL leaves it up to the applications themselves to perform chasing. According to Mozilla research (3), if implemented, it would reduce TLS errors by approximately 6% were AIA chasing always performed and successful. Thanks! 1. https://docs.google.com/document/d/1ryqFMSHHRDERg1jm3LeVt7VMfxtXXrI8p49gmtniNP0/edit?pli=1 2. https://observatory.mozilla.org/ 3. https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c80 ---------- nosy: +april title: TLS and Intermediate Certificates -> AIA chasing for missing intermediate certificates on TLS connections _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue18617> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
