From 407364d2522193c9c9929786f3dcd15a15bba1e9 Mon Sep 17 00:00:00 2001
From: Jeremy Rand <jeremyrand@airmail.cc>
Date: Wed, 25 Aug 2021 08:20:57 +0000
Subject: [PATCH] Disable AIA over HTTPS

Based on CAPI2 logs, it appears that usage of AIA over HTTPS was a
contributing factor to https://github.com/namecoin/encaya/issues/19 .
---
 parent.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/parent.go b/parent.go
index b5e259c..0166d8e 100644
--- a/parent.go
+++ b/parent.go
@@ -192,10 +192,11 @@ func getParent() (parentCert x509.Certificate, parentPriv interface{}) {
 		aiaPubHash := sha256.Sum256(aiaPubBytes)
 		aiaPubHashStr := hex.EncodeToString(aiaPubHash[:])
 
-		// Support both HTTP and HTTPS AIA.
+		// Support only HTTP AIA.  HTTPS is not supported by major TLS clients,
+		// and listing an HTTPS URL can cause them to not chase the HTTP URL.
 		aiaBaseURL := "aia.x--nmc.bit/aia"
 		aiaURL := aiaBaseURL + "?domain=" + *host + "&pubsha256=" + aiaPubHashStr
-		template.IssuingCertificateURL = []string{"https://"+aiaURL, "http://"+aiaURL}
+		template.IssuingCertificateURL = []string{"http://"+aiaURL}
 	} else if *grandparentKey != "" {
 		aiaParent, aiaParentPriv = getAIAParent()
 	} else {