the certificate can be parsed in php...

`// isPrintable reports whether the given b is in the ASN.1 PrintableString set.
func isPrintable(b byte) bool {

bb := 'a' <= b && b <= 'z' ||
	'A' <= b && b <= 'Z' ||
	'0' <= b && b <= '9' ||
	'\'' <= b && b <= ')' ||
	'+' <= b && b <= '/' ||
	b == ' ' ||
	b == ':' ||
	b == '=' ||
	b == '?' ||
	// This is technically not allowed in a PrintableString.
	// However, x509 certificates with wildcard strings don't
	// always use the correct string type so we permit it.
	b == '*' ||
            //clone the asn1 and x509 packages and add this line for fixing the issue 
	b == 180 || b == 243 ||b == 193 ||b == 172 ||b == 181 ||b == 231 ||b == 208 ||b == 197**
return bb

}`

An online certificate decoder suggest that the organisation name is not a valid PrintableString. A PrintableString may only contain certain characters, https://en.wikipedia.org/wiki/PrintableString, no Big-5, Punycode, or UTF-8.

How did you generate this certificate?

not my certificate...i can't change it

I'm sorry, this certificate is not valid. Some implementations may accept it, but Go's strict implementation will not accept it.

Which device or manufacturer generated this certificate? /cc @agl

I know it contains gbk characters, but the certificate is generated by another company...

It was also generated 16 years ago, and expired 14 years ago. It's not valid even if it could be parsed.

............

@tonyjt i'm just trying to help mate. Please be mindful that there is a live human on the other side of this discussion. I appreciate you are frustrated, but as a volunteer, it is not appropriate to direct that frustration at others.

I ask them to regenerate the certificate, but they say no...

looks like clone the asn1 and x509 packages is the only solution for me, appericate for you help

Why won't they regenerate the certificate? It expired 14 years ago.

I went to have a look at the RFC: https://www.ietf.org/rfc/rfc5280.txt

At page 113, it seems to say that X520OrganizationName can be any valid utf-8 string, unless I'm reading it wrong:

X520OrganizationName ::= CHOICE {
      teletexString     TeletexString
                          (SIZE (1..ub-organization-name)),
      printableString   PrintableString
                          (SIZE (1..ub-organization-name)),
      universalString   UniversalString
                          (SIZE (1..ub-organization-name)),
      utf8String        UTF8String
                          (SIZE (1..ub-organization-name)),
      bmpString         BMPString
                          (SIZE (1..ub-organization-name))  }

Correct, but their certificate indicates that this is a PrintableString. They could choose to use another encoding, but they chose PrintableString.

Why won't they regenerate the certificate? What use is a certificate that expired 14 years ago, even if you could decode it, you'd have to tell the TLS package to ignore the fact it is expired. At that point, why use a certificate at all?

i don't know, maybe they think it works in java and php...

I can't see a bug here. If you're asking that the parser be more lenient, other saner cases would break; programs relying on the parser erroring on invalid certificates of this kind, for example.

Is there a good reason to consider this change, other than "it makes my program work with an old certificate whose issuer won't fix it"?

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)