New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: internal error when connecting to site with abnormaly large certificate #13401
Comments
/cc @agl |
Certainly the error message could be better, which is hopefully addressed in https://go-review.googlesource.com/#/c/20547/. However, did you expect 10000-sans.badssl.com to work? It doesn't work in OpenSSL nor Chrome at least. I'm unsure whether this is something that reals sites would want to do, and thus should be supported, or whether our existing handshake message limit is still reasonable. |
CL https://golang.org/cl/20547 mentions this issue. |
I don't think there is a valid use case for certificates that large (yet? ever?). I was essentially curious about Go's behavior shortly after the badssl site was setup. Thanks for fixing the error message 👍 |
This change improves the error message when encountering a TLS handshake message that is larger than our limit (64KB). Previously the error was just “local error: internal error”. Updates #13401. Change-Id: I86127112045ae33e51079e3bc047dd7386ddc71a Reviewed-on: https://go-review.googlesource.com/20547 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
https://10000-sans.badssl.com
is a test site that serves a certificate with 10,000 SAN records for the purpose of breaking TLS clients. Go is unable to open a connection to this site, and breaks with the error:Source code is
I would like for this to work, but I can understand Go refusing to open a connection with such an unusual certificate. If so, maybe the failure should be enforced by a policy and the error message explicit?
The text was updated successfully, but these errors were encountered: