Authority Information Access certificate extension (AIA) support #2793
Description
note: This is a copy of an old feature request from the old bug tracker: https://sourceforge.net/p/curl/feature-requests/83/
Please consider adding support for Authority Information Access certificate extension (AIA).
AIA can provide various things like CRLs but more importantly information about intermediate CA certificates that can allow validation path to be fullfilled.
Example site that uses certificate with AIA extension:
$ curl --version
curl 7.39.0 (x86_64-pld-linux-gnu) libcurl/7.39.0 OpenSSL/1.0.1j zlib/1.2.8 c->ares/1.10.0 libidn/1.29 libssh2/1.4.3 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp >rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP >Metalink
$ curl --cacert /etc/certs/ca-certificates.crt https://ftp.ruby-lang.org/
curl: (60) SSL certificate problem: unable to get local issuer certificate
If you try the same URL with firefox or google chrome then certificate will be validated fine. That's because these browsers look into AIA and fetch intermediate certificate found there:
$ openssl s_client -host ftp.ruby-lang.org -port 443 2>&1 | openssl x509 -in >/dev/stdin -text | grep -A3 "Authority Informa"
Authority Information Access:
CA Issuers - >URI:http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt
OCSP - URI:http://ocsp2.globalsign.com/gsdomainvalsha2g2
curl could do similar thing to firefox/google-chrome and fetch that intermediate gsdomainvalsha2g2r1.crt cert thus allowing validation to pass.
/cc @arekm since he filed the original issue.