subject:"\[issue18617\] AIA chasing for missing intermediate certificates on TLS connections"

[issue18617] AIA chasing for missing intermediate certificates on TLS connections

2021-02-02 Thread Ofek Lev



Ofek Lev  added the comment:

Any update on this?

--
nosy: +Ofekmeister

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18617] AIA chasing for missing intermediate certificates on TLS connections

2018-02-26 Thread Christian Heimes


Change by Christian Heimes :


--
assignee: docs@python -> christian.heimes
stage:  -> needs patch
versions: +Python 3.8 -Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18617] AIA chasing for missing intermediate certificates on TLS connections

2017-05-17 Thread Alex Gaynor


Alex Gaynor added the comment:

Just discussed with Christian, and we're both in favor of adding AIA chasing 
support to the stdlib ssl.

--
nosy: +alex, janssen

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18617] AIA chasing for missing intermediate certificates on TLS connections

2017-05-17 Thread April King


April King added the comment:

Err, sorry, I may have been a bit unclear.  AIA chasing is not *universal* 
amongst browsers.  IE, Edge, Chrome, and Safari perform AIA chasing.  Firefox 
maintains a cache of intermediate certificate authorities.  I noted that a bit 
further underneath, but my apologies if it was confusing.

That said, every browser has a some chosen some underlying method to ameliorate 
this common TLS error.  It would be amazing if Python could similarly resolve 
this issue for developers.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18617] AIA chasing for missing intermediate certificates on TLS connections

2017-05-17 Thread April King

April King added the comment:

Browsers universally support AIA chasing/fetching, as do a number of underlying
OS libraries, such as Secure Transport (macOS) and schannel (Windows).

As a result, it is becoming increasingly common for server operators to fail to
include the entire certificate chain in their handshake. By some measures,
anywhere from 10 to over 30% of all TLS errors(1) are caused by missing
intermediate certificates.

There are a handful of ways that scanners and other tools have worked around
this issue. Some, like SSL Labs, do their own AIA chasing. Others make
subprocess to other tools linked to OS libraries which invisibly perform AIA
chasing, such as curl on macOS. Others, like Firefox, maintain a cache of
intermediate certificates.

In any case, all of these solutions are concession to the reality that TLS is
really hard and that it is largely impossible to solve this particular
misconfiguration issue.

I myself write a popular tool(2) that does scanning of sites for missing
security configurations. Although it's not explicitly focused on TLS, some of
the underlying tests rely on a verified TLS connection. For example, the HTTP
Strict Transport Security (HSTS) header can only be set on valid TLS
connections. I use requests (which uses httplib underneath), but I'm unable to
tell if a given certificate error is because of either:

a) the certificate validation actually failed (for example, due to being
expired), or
b) there was a missing intermediate certificate and that things would have
worked if AIA chasing was available

As a result, I have to tell people that their HSTS header can't be set. This is
often incorrect, because browsers that do AIA chasing consider the connection
perfectly secure for the purposes of HSTS.

It would be really nice if Python's httplib could be updated to do transparent
AIA chasing, with the optional ability to turn it off. In an ideal world, the
underlying TLS libraries (such as OpenSSL) would do this for us, but
unfortunately as things stand now OpenSSL leaves it up to the applications
themselves to perform chasing. According to Mozilla research (3), if
implemented, it would reduce TLS errors by approximately 6% were AIA chasing
always performed and successful.

Thanks!

1.
https://docs.google.com/document/d/1ryqFMSHHRDERg1jm3LeVt7VMfxtXXrI8p49gmtniNP0/edit?pli=1
2. https://observatory.mozilla.org/
3. https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c80

--
nosy: +april
title: TLS and Intermediate Certificates -> AIA chasing for missing
intermediate certificates on TLS connections

___
Python tracker

___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue18617] AIA chasing for missing intermediate certificates on TLS connections

[issue18617] AIA chasing for missing intermediate certificates on TLS connections

[issue18617] AIA chasing for missing intermediate certificates on TLS connections

[issue18617] AIA chasing for missing intermediate certificates on TLS connections

[issue18617] AIA chasing for missing intermediate certificates on TLS connections

5 matches

Site Navigation

Mail list logo

Footer information