Skip to content

Ingest servers with missing TLS intermediate certs by using TLS Authority Information Access (AIA) hints.

Summary:

Some forges have TLS certificate delivery that works in browsers but not in curl and not in any SWH listers. This is caused by the server only sending the server certificate and advertising additional certificates using TLS Authority Information Access (AIA) hints. The browsers are fetching the intermediate certs but curl is not doing that and openssl is also not doing that and probably the tools SWH uses also are not doing that. An example server that has AIA records in the certificate:

$ openssl s_client -connect git2.networks.imdea.org:443 < /dev/null 2> /dev/null | openssl x509 -in /dev/stdin -text | grep -A3 "Authority Information Access"
            Authority Information Access: 
                OCSP - URI:http://ocsp.godaddy.com/
                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt
            X509v3 Authority Key Identifier:

Plan:

  • Implement mechanism
  • Modify loaders
  • Modify listers
  • docker: Run lister
  • docker: Run loader
  • Document lister
  • Document loader
  • Deploy on staging
  • Call for public review
  • Deploy on production
  • Reopen affected AFNR: #360 #422 #436 #498
Edited by Paul Wise
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information