Merge #15: Disable AIA over HTTPS

b9f4ad6 Fix goimports warning (Jeremy Rand) 93aa4ba Disable AIA over HTTPS (Jeremy Rand) Pull request description: Based on CAPI2 logs, it appears that usage of AIA over HTTPS was a contributing factor to namecoin/encaya#19 . Top commit has no ACKs. Tree-SHA512: c8077e281cc865f9a05c430c2d100b82f0d33d691c0ac424ef9cd2df38031c40083942fef09aef7e6ab89fa35f0c647b4a69a043224254474ddc65b5fb99e7d2
namecoin · Aug 26, 2021 · 82c228f · 82c228f
2 parents abbb44d + b9f4ad6
commit 82c228f
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/parent.go b/parent.go
@@ -192,10 +192,11 @@ func getParent() (parentCert x509.Certificate, parentPriv interface{}) {
 		aiaPubHash := sha256.Sum256(aiaPubBytes)
 		aiaPubHashStr := hex.EncodeToString(aiaPubHash[:])
 
-		// Support both HTTP and HTTPS AIA.
+		// Support only HTTP AIA.  HTTPS is not supported by major TLS clients,
+		// and listing an HTTPS URL can cause them to not chase the HTTP URL.
 		aiaBaseURL := "aia.x--nmc.bit/aia"
 		aiaURL := aiaBaseURL + "?domain=" + *host + "&pubsha256=" + aiaPubHashStr
-		template.IssuingCertificateURL = []string{"https://"+aiaURL, "http://"+aiaURL}
+		template.IssuingCertificateURL = []string{"http://" + aiaURL}
 	} else if *grandparentKey != "" {
 		aiaParent, aiaParentPriv = getAIAParent()
 	} else {
@@ -225,7 +226,7 @@ func getParent() (parentCert x509.Certificate, parentPriv interface{}) {
 	//log.Print("wrote cert.pem\n")
 	log.Print("wrote caCert.pem\n")
 
-	if ! *useAIA {
+	if !*useAIA {
 		writeJSONTLSA(priv)
 	}