noxxi
commented
3 years ago I don't see this in scope for IO::Socket::SSL. The server is supposed to provide the full certificate chain, not only the leaf certificate. And from my understanding Firefox does not support it either, which can be verified when visiting a site having a broken chain with a fresh Firefox profile. Firefox seems to work around such broken sites by caching previously seen intermediate certificates though. Chrome does more effort in working around such broken sites, it might use AIA for this. But none of the common programming languages, libraries etc use AIA, i.e. not Python, Java, curl, wget, ... whatever. They all break when chain certificates are missing. Moreover, supporting AIA would heavily complicate non-blocking support (which needs to do non-blocking certificate validation) and would also add dependencies on environments (proxy).
It would be nice if IO::Socket::SSL provided support for AIA, which among other things, provides a way to fetch the intermediate certificates in the certificate chain if the server does not provide them.
E.g.: pacer.uscourts.gov only provides its own certificate, but not the intermediate (DigiCert Global CA G2). The certificate it provides has this in the AIA extension:
So the application in theory could know to fetch the intermediate certificate from the issuer URL and that would complete the certificate chain for verification.
This is possibly tricky to get right I realize and perhaps goes beyond the scope of IO::Socket::SSL itself. Chrome, Firefox, and I believe Edge already implement this.