Download missing certificates using Authority Information Access extension
When we receive an incomplete certificate chain, as on the following domains:
- https://complaint.consumerfinance.gov/
-
https://clave.gob.es(fixed) -
https://muny.org(fixed) -
https://discourse.cdn.osmc.network/(fixed) -
https://investors.centene.com/(fixed) -
https://speedqueen.com/(fixed) -
https://covid19risk.biosci.gatech.edu/(fixed) -
https://linuxone.cloud.marist.edu/(fixed) -
https://www.vdh.virginia.gov/(fixed) -
https://support.weather.com/(fixed) - https://www.rustoleum.com/
-
https://locations.schnucks.com/(fixed) - https://betterbuildingssolutioncenter.energy.gov/
- https://faq.usps.com/
-
https://www.waterheaterrecall.com/(fixed) -
https://search.nfrc.org/(fixed) -
https://danigm.net/(fixed) -
https://token.services.mozilla.com/(fixed) -
https://www.amica.com/(fixed) -
https://playstation.com/(fixed) - https://www.axiomupgrades.com/
-
https://archive.org/(fixed) - https://rewardcenter.att.com/
We should use the Authority Information Access extension of the server certificate to lookup the missing intermediate certificate. Then if the chain is still broken, use AIA of the first intermediate to lookup its signer, and so on.
I already landed a huge amount of work towards fixing this recently in #6 (closed).
Next step is to fix #89, which requires refactoring all of glib-networking. Details in #89 (comment 579521). I'm partly done with that already, but it will take a couple more months.
Then we need to fix https://gitlab.com/gnutls/gnutls/issues/202, which should be comparatively easy because we don't have to rewrite all of GnuTLS to fix it.
Once all that is handled, this should be relatively straightforward to solve in glib-networking. We just need to be sure we don't wind up in an infinite loop where a new TLS connection is created to look up a certificate that's needed for a new TLS connection created to look up a certificate... so we should investigate how other browsers handle this. Maybe we should only allow lookup via http:// or somehow set a depth limit.