Antoine FERRON

AIA on Mobile

Discussion created by Antoine FERRON on Aug 26, 2015
Latest reply on Aug 26, 2015 by Antoine FERRON

On SSL Server Test, there is a small discrepancy between actual user experience and handshake simulation on some mobile devices. I noticed it because it takes time to me to understand what's wrong with my Android phone on some particular server.

While browsing on Android, when certificate path is incomplete (direct from a given server) and needs extra download, Android is reporting the connection insecured and doesn't allow the connection. This is because there's no Authority Information Access support in Android, and so the server needs to host all certificate of the chain. Else, the connection fails. The fact is if you try with Android 5.0 phone to a server which doesn't provide the full certificate chain, the connection will fail. But in Handshakes Simulation, it says OK.

 

This issue is discussed here and there.

 

So I propose to change some mobile handshake simulation to mark some as "Protocol or cipher suite mismatch - Fail", when certificate chain is not complete (needs extra download). At least Android 5.0 (I can only confirm this one), and probably 4.x versions and potentially other mobile platforms. The simulations would be much more realistic, asserting "Fail" when the platform can't support AIA (and chain incomplete). This is quite similar from SNI capabilities which prevent some (old) platforms to connect to some servers.

Outcomes