AIA Fetching: Solving a Common SSL Misconfiguration
Resolving errors related to missing intermediate certificates
Before you can make a secure HTTPS connection to a website, your browser (or whatever your client may be) has to validate the website’s SSL certificate and make sure it is valid. In fact, your browser did this in just a few hundred milliseconds when you connected to this blog.
A key part of that process is checking the certificate’s signature and issuer to determine if it has been issued by a trusted Certificate Authority (CA), like Symantec or Comodo.
Webservers are supposed to serve clients the end-entity certificate for their website, along with all the Intermediate certificates needed to connect to the root – this is known as the certificate chain. This allows the client to easily trace the signature back to the root certificate in its root store and verify the certificate.
However, many webservers are not properly configured and do not provide the right certificate chain. Recent figures from Google say that ~10% of certificate errors in Chrome are related to incorrect or missing intermediate certificates.
Normally, this should be a bigger issue, given that a lot of servers have improperly configured certificate chains. But clients have a way to account for this common problem: AIA fetching.
AIA, or Authority Information Access, is an extension in SSL certificates that provides information about the issuer. One of the purposes of this extension is to provide a link to the issuing intermediate certificate.
Here is our SSL certificate showing the AIA field. There are two different entries in this certificate’s AIA extension, indicated by the  and  seen in the screenshot. The first entry is information about the issuer’s OCSP server. OCSP is a revocation mechanism, and is not related to AIA fetching.
The second entry is what we are interested in. The last line in the screenshot is a URL where the issuing intermediate can be downloaded. If a server does not provide the intermediate certificate, clients that perform AIA fetching will download the certificate from that URL.
Now that the client has the intermediate certificate, it can continue chain building and verify the certificate. While the server is technically misconfigured, a user who’s client supports AIA fetching will never know it.
Google Chrome on all platforms (except Android), Internet Explorer, and Safari all perform AIA fetching.
AIA fetching has been criticized for encouraging server misconfiguration. An inexperienced server admin could forget to serve intermediate certificates, and when they check the site it works fine because the intermediates are fetched. It may not even be apparent there is a problem.
On the other hand, without AIA fetching, clients report certificate errors and we harm the user’s experience and teach users that ignoring certificate errors is okay, all for the purpose of enforcing a principle.
Not all client software performs AIA fetching. In fact, the entire Android operating system does not do AIA fetching. Nor does Firefox.
There are other methods for solving the problem of missing intermediate certificates. Clients can cache intermediate certificates they encounter and use them for future connections. Or they can come pre-shipped with common intermediates. Some clients use a combination of these.
The underlying operating system can also handle some of these tasks. For instance, on Windows, if you visit a site with a missing intermediate in Chrome, the browser will perform AIA fetching and then Windows will cache the intermediate. If you then view the site in Firefox, it will pull the intermediate from Window’s cache and everything will work. But if you had done this in reverse order, Firefox would have presented an error because it would have no way to get the intermediate.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown