incomplete-chain can be accepted if client actually does verification steps #288
Description
The RFC 5280 specification allows to fetch the missing CA certificates from the location specified in the AIA extension, so accepting it is OK, as long as the certificates are actually fetched.
This could be perhaps tested by controlling the contents of the AIA extension to point to something we control?
Quick'n'dirty fix: Document that FAIL is ok, but use tcpdump to check whether stub fetched CA stuff using HTTP, if it doesn't it either did some caching or we have a real security bug.