classification
Title: AIA chasing for missing intermediate certificates on TLS connections
Type: enhancement Stage:
Components: Library (Lib), SSL Versions: Python 3.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: docs@python Nosy List: Chi Hsuan Yen, alex, april, christian.heimes, docs@python, dstufft, janssen, pitrou, samv
Priority: normal Keywords:

Created on 2013-08-01 16:58 by dstufft, last changed 2017-05-17 22:37 by alex.

Messages (8)
msg194088 - (view) Author: Donald Stufft (dstufft) * (Python committer) Date: 2013-08-01 16:58
Currently the Python SSL module requires the full chain, including all intermediaries, to be served in order to validate a TLS connection. This isn't *wrong* however a number of folks have had issues trying to setup a custom PyPI index in pip due to missing them. The believed the problem with validation to be in pip/Python because it works in their browser.

Essentially browsers have the ability to download missing intermediate certs using an url found inside the AIA data. This is slow and isn't generally recommended that you rely on it for any particular site. However it does mean that TLS connections work in more situations.

At the least this should probably be documented, and possibly the Python library be enhanced to be more browser like in this regard.
msg194090 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-08-01 17:09
Thx!

Let's update the docs for 2.7 to 3.4 first. 

For AIA intermediate cert retrieval we have to use OpenSSL's verify hook. It's a pain to implement all necessary bits and hard to use, though. :(
msg203174 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-11-17 14:29
Donald, could you please provide a doc update that explains the problem?
msg203175 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-11-17 14:30
I'm afraid downloading certs on the fly would open a whole new can of worms, so I'd rather have it documented indeed :)
msg216976 - (view) Author: Sam Vilain (samv) Date: 2014-04-22 00:14
Perhaps the simplest thing here is to add a standard verify callback that catches verification errors, and returns the parsed server certificate as an attribute of the raised exception object.  From python, the exception can be caught and then the certificate data info used to fetch the intermediate certificate, and pass it into SSLContext.load_verify_locations().

This would force an extra client connection, but be less insane than trying to fetch and return the certificate from inside the SSL_CTX_set_verify() callback IMHO.

Does that sound workable?  Any hints for a would-be drive-by patcher?
msg293894 - (view) Author: April King (april) Date: 2017-05-17 21:50
Browsers universally support AIA chasing/fetching, as do a number of underlying OS libraries, such as Secure Transport (macOS) and schannel (Windows).

As a result, it is becoming increasingly common for server operators to fail to include the entire certificate chain in their handshake. By some measures, anywhere from 10 to over 30% of all TLS errors(1) are caused by missing intermediate certificates.

There are a handful of ways that scanners and other tools have worked around this issue. Some, like SSL Labs, do their own AIA chasing. Others make subprocess to other tools linked to OS libraries which invisibly perform AIA chasing, such as curl on macOS. Others, like Firefox, maintain a cache of intermediate certificates.

In any case, all of these solutions are concession to the reality that TLS is really hard and that it is largely impossible to solve this particular misconfiguration issue.

I myself write a popular tool(2) that does scanning of sites for missing security configurations. Although it's not explicitly focused on TLS, some of the underlying tests rely on a verified TLS connection.  For example, the HTTP Strict Transport Security (HSTS) header can only be set on valid TLS connections.  I use requests (which uses httplib underneath), but I'm unable to tell if a given certificate error is because of either:

a) the certificate validation actually failed (for example, due to being expired), or
b) there was a missing intermediate certificate and that things would have worked if AIA chasing was available

As a result, I have to tell people that their HSTS header can't be set. This is often incorrect, because browsers that do AIA chasing consider the connection perfectly secure for the purposes of HSTS.

It would be really nice if Python's httplib could be updated to do transparent AIA chasing, with the optional ability to turn it off. In an ideal world, the underlying TLS libraries (such as OpenSSL) would do this for us, but unfortunately as things stand now OpenSSL leaves it up to the applications themselves to perform chasing. According to Mozilla research (3), if implemented, it would reduce TLS errors by approximately 6% were AIA chasing always performed and successful.

Thanks!

1. https://docs.google.com/document/d/1ryqFMSHHRDERg1jm3LeVt7VMfxtXXrI8p49gmtniNP0/edit?pli=1
2. https://observatory.mozilla.org/
3. https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c80
msg293896 - (view) Author: April King (april) Date: 2017-05-17 21:59
Err, sorry, I may have been a bit unclear.  AIA chasing is not *universal* amongst browsers.  IE, Edge, Chrome, and Safari perform AIA chasing.  Firefox maintains a cache of intermediate certificate authorities.  I noted that a bit further underneath, but my apologies if it was confusing.

That said, every browser has a some chosen some underlying method to ameliorate this common TLS error.  It would be amazing if Python could similarly resolve this issue for developers.
msg293898 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2017-05-17 22:37
Just discussed with Christian, and we're both in favor of adding AIA chasing support to the stdlib ssl.
History
Date User Action Args
2017-05-17 22:37:17alexsetnosy: + janssen, alex
messages: + msg293898
2017-05-17 21:59:37aprilsetmessages: + msg293896
2017-05-17 21:50:38aprilsetnosy: + april

messages: + msg293894
title: TLS and Intermediate Certificates -> AIA chasing for missing intermediate certificates on TLS connections
2016-09-19 06:27:53Chi Hsuan Yensetnosy: + Chi Hsuan Yen
2016-09-15 07:55:45christian.heimessetcomponents: + SSL
versions: - Python 3.6
2016-09-08 14:51:50christian.heimessetversions: + Python 3.6, Python 3.7, - Python 2.7, Python 3.3, Python 3.4, Python 3.5
2014-04-22 00:14:18samvsetnosy: + samv

messages: + msg216976
versions: + Python 3.5
2013-11-17 14:30:55pitrousetnosy: + pitrou
messages: + msg203175
2013-11-17 14:29:49christian.heimessetassignee: docs@python

messages: + msg203174
nosy: + docs@python
2013-08-01 17:09:05christian.heimessetnosy: + christian.heimes

messages: + msg194090
versions: + Python 2.7, Python 3.3, Python 3.4
2013-08-01 16:58:37dstufftcreate