cURL cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:feature-requests] #83 Authority Information Access certificate extension (AIA) support

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Thu, 04 Dec 2014 22:23:07 +0000

- **summary**: feature request: Authority Information Access certificate extension (AIA) support --> Authority Information Access certificate extension (AIA) support

---
** [feature-requests:#83] Authority Information Access certificate extension (AIA)  support**
**Status:** open
**Created:** Mon Dec 01, 2014 05:31 PM UTC by Arkadiusz Miskiewicz
**Last Updated:** Thu Dec 04, 2014 10:22 PM UTC
**Owner:** nobody
Feature request:
Please consider adding support for  Authority Information Access certificate extension  (AIA).
AIA can provide various things like CRLs but more importantly information about intermediate CA certificates that can allow validation path to be fullfilled.
Example site that uses certificate with AIA extension:
>$ curl --version
>curl 7.39.0 (x86_64-pld-linux-gnu) libcurl/7.39.0 OpenSSL/1.0.1j zlib/1.2.8 c->ares/1.10.0 libidn/1.29 libssh2/1.4.3 librtmp/2.3
>Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp >rtsp scp sftp smtp smtps telnet tftp
>Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP >Metalink
>$ curl --cacert /etc/certs/ca-certificates.crt https://ftp.ruby-lang.org/
>curl: (60) SSL certificate problem: unable to get local issuer certificate
If you try the same URL with firefox or google chrome then certificate will be validated fine. That's because these browsers look into AIA and fetch intermediate certificate found there:
>$ openssl s_client -host ftp.ruby-lang.org -port 443 2>&1 | openssl x509 -in >/dev/stdin -text | grep -A3 "Authority Informa"
>            Authority Information Access:
>                CA Issuers - >URI:http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt
>                OCSP - URI:http://ocsp2.globalsign.com/gsdomainvalsha2g2
curl could do similar thing to firefox/google-chrome and fetch that intermediate gsdomainvalsha2g2r1.crt cert thus allowing validation to pass.
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/feature-requests/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/feature-requests/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2014-12-04

These mail archives are generated by hypermail.