Some HTTPS servers fail validation due to incomplete chains.
To Reproduce
Steps to reproduce the behaviour:
Include a link to a site which does not send the full chain such as incomplete-chain.badssl.com
Run htmltest
Receive failures related to bad SSL
Expected behaviour
AIA servers generate a warning rather than an error given it will work on most browsers.
Actual behaviour
AIA servers fail TLS validation.
Versions
OS: OS X 10.14.6
htmltest: 0.10.3
Additional context
RFC3280 (AIA) allows HTTPS servers to not send the full certificate chain when serving clients, instead it is up to the client to fetch any intermediary certificates from the include URL. Testing with Safari and Chrome shows that they do this automatically, Firefox does not, likely due to the underlying use of openssl which leaves this to the application implementation for security. The Go x509 library does appear to have some level of support for AIA.
Describe the bug
Some HTTPS servers fail validation due to incomplete chains.
To Reproduce
Steps to reproduce the behaviour:
htmltest
Expected behaviour
AIA servers generate a warning rather than an error given it will work on most browsers.
Actual behaviour
AIA servers fail TLS validation.
Versions
Additional context
RFC3280 (AIA) allows HTTPS servers to not send the full certificate chain when serving clients, instead it is up to the client to fetch any intermediary certificates from the include URL. Testing with Safari and Chrome shows that they do this automatically, Firefox does not, likely due to the underlying use of openssl which leaves this to the application implementation for security. The Go x509 library does appear to have some level of support for AIA.