You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
... but the TLDR is:
chrome defines the standard, and curl refuses to follow because "all hail the RFC"...
this reminds me very much of the curl issue curl/curl#11125
where curl maintainers are over-fulfilling the RFC in the name of "security"
but that is hurting real-world users
While Brian's absolutely correct that AIA also covers misconfigurations, such as a server only supplying a single certificate, I don't agree with causing users pain and conditioning them on errors simply for an ideological stand. Past attempts at such stands, such as refusing to persist TLS errors, resulted in much worse experiences for Chrome users.
workaround for curl
catch the unable to get local issuer certificate error
fetch missing certificates and add them to ca-bundle.crt
note: we do not trust the extra certs. we add them as -----BEGIN CERTIFICATE----- not as -----BEGIN TRUSTED CERTIFICATE-----. so in rare cases, the user will have to decide whether he trusts an unknown root cert... but that situation would also break in chrome
call curl again with the updated ca-bundle.crt
cache our ca-bundle.crt in ~/.pyload/ca-bundle.crt
fetching certs in python is 3x slower than in curl
so we always should try to call curl first
and only on curl error, fetch certs in python, and retry curl
milahu
changed the title
fetch missing TLS certificates to fix curl error: unable to get local issuer certificate
fetch missing SSL certificates to fix curl error: unable to get local issuer certificate
Jun 1, 2024
milahu
added a commit
to milahu/pyload
that referenced
this issue
Jun 16, 2024
actually fix #4273
this is a missing feature in curl, so its a pycurl error
urls like https://www788.ucdn.to:183/ work in chrome, but fail with curl
strictly speaking, this is server error
cert 0 issuer:
GlobalSign GCC R6 AlphaSSL CA 2023
cert 1 subject:
GlobalSign Root CA
... these should be identical in a full chain of certs
but cert 0 has the
Authority Information Access
extensionand we need to fetch the missing issuer cert from
CA Issuers - URI
cert 0 = leaf cert
actual cert 1 = intermediary cert
here, cert 0 issuer and cert 1 subject are identical:
C = BE, O = GlobalSign nv-sa, CN = GlobalSign GCC R6 AlphaSSL CA 2023
actual cert 1 can be verified offline
because cert 1 issuer is in the system
ca-bundle.crt
so there is no need to fetch http://secure.globalsign.com/cacert/root-r6.crt
this cert is not needed to verify cert 0
its just wrong and misleading, either by accident or on purpose
but in the real world, many servers have such a "broken" config
so chrome fetches the missing issuer certs from
CA Issuers - URI
there is a shit-ton of discussions on this topic ...
... yepp, i already spent 2 days on this ^^
... but the TLDR is:
chrome defines the standard, and curl refuses to follow because "all hail the RFC"...
this reminds me very much of the curl issue curl/curl#11125
where curl maintainers are over-fulfilling the RFC in the name of "security"
but that is hurting real-world users
from AIA fetching in Chrome for Android
workaround for curl
unable to get local issuer certificate
errorca-bundle.crt
-----BEGIN CERTIFICATE-----
not as-----BEGIN TRUSTED CERTIFICATE-----
. so in rare cases, the user will have to decide whether he trusts an unknown root cert... but that situation would also break in chromeca-bundle.crt
ca-bundle.crt
in~/.pyload/ca-bundle.crt
fetching certs in python is 3x slower than in curl
so we always should try to call curl first
and only on curl error, fetch certs in python, and retry curl
src/pyload/core/network/http/http_request.py
certifi.where()
returns the path to the systemca-bundle.crt
usually
/etc/ssl/certs/ca-bundle.crt
currently im working on danilobellini/aia#3
hope to get this done in the next 1...2 days, then add aia to pyload
The text was updated successfully, but these errors were encountered: