Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: internal error when connecting to site with abnormaly large certificate #13401

Closed
jvehent opened this issue Nov 25, 2015 · 4 comments
Closed

crypto/tls: internal error when connecting to site with abnormaly large certificate #13401

jvehent opened this issue Nov 25, 2015 · 4 comments
Labels
FrozenDueToAge
Milestone
Go1.7

Comments

@jvehent
Copy link

jvehent commented Nov 25, 2015

https://10000-sans.badssl.com is a test site that serves a certificate with 10,000 SAN records for the purpose of breaking TLS clients. Go is unable to open a connection to this site, and breaks with the error:

$ go run https_break.go 
panic: Get https://10000-sans.badssl.com: local error: internal error

goroutine 1 [running]:
main.main()
    /home/ulfr/git/go-toybox/https_break.go:8 +0x6e

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
    /usr/lib/go/src/runtime/asm_amd64.s:1696 +0x1
exit status 2

Source code is

package main

import "net/http"

func main() {
    _, err := http.Get("https://10000-sans.badssl.com")
    if err != nil {
        panic(err)
    }
}

I would like for this to work, but I can understand Go refusing to open a connection with such an unusual certificate. If so, maybe the failure should be enforced by a policy and the error message explicit?
@jvehent jvehent changed the title crypto/tls: internal error when connecting to site with abnormaly bit certificate crypto/tls: internal error when connecting to site with abnormaly large certificate Nov 25, 2015
@rsc
Copy link
Contributor

rsc commented Dec 28, 2015

/cc @agl

@rsc rsc added this to the Go1.7 milestone Dec 28, 2015
@agl agl self-assigned this Dec 28, 2015
@agl
Copy link
Contributor

agl commented Mar 10, 2016

Certainly the error message could be better, which is hopefully addressed in https://go-review.googlesource.com/#/c/20547/.

However, did you expect 10000-sans.badssl.com to work? It doesn't work in OpenSSL nor Chrome at least. I'm unsure whether this is something that reals sites would want to do, and thus should be supported, or whether our existing handshake message limit is still reasonable.

@gopherbot
Copy link

CL https://golang.org/cl/20547 mentions this issue.

@jvehent
Copy link
Author

jvehent commented Mar 11, 2016

I don't think there is a valid use case for certificates that large (yet? ever?). I was essentially curious about Go's behavior shortly after the badssl site was setup. Thanks for fixing the error message 👍

@jvehent jvehent closed this as completed Mar 11, 2016
gopherbot pushed a commit that referenced this issue Mar 12, 2016
@agl
crypto/tls: better error for oversized handshake messages.
8884973 
This change improves the error message when encountering a TLS handshake
message that is larger than our limit (64KB). Previously the error was
just “local error: internal error”.

Updates #13401.

Change-Id: I86127112045ae33e51079e3bc047dd7386ddc71a
Reviewed-on: https://go-review.googlesource.com/20547
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
@golang golang locked and limited conversation to collaborators Mar 13, 2017
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.7
Development

No branches or pull requests
4 participants
@agl @rsc @jvehent @gopherbot