Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: internal error when connecting to site with abnormaly large certificate #13401

jvehent opened this issue Nov 25, 2015 · 4 comments


Copy link

jvehent commented Nov 25, 2015 is a test site that serves a certificate with 10,000 SAN records for the purpose of breaking TLS clients. Go is unable to open a connection to this site, and breaks with the error:

$ go run https_break.go 
panic: Get local error: internal error

goroutine 1 [running]:
    /home/ulfr/git/go-toybox/https_break.go:8 +0x6e

goroutine 17 [syscall, locked to thread]:
    /usr/lib/go/src/runtime/asm_amd64.s:1696 +0x1
exit status 2

Source code is

package main

import "net/http"

func main() {
    _, err := http.Get("")
    if err != nil {

I would like for this to work, but I can understand Go refusing to open a connection with such an unusual certificate. If so, maybe the failure should be enforced by a policy and the error message explicit?

@jvehent jvehent changed the title crypto/tls: internal error when connecting to site with abnormaly bit certificate crypto/tls: internal error when connecting to site with abnormaly large certificate Nov 25, 2015
Copy link

rsc commented Dec 28, 2015

/cc @agl

@rsc rsc added this to the Go1.7 milestone Dec 28, 2015
@agl agl self-assigned this Dec 28, 2015
Copy link

agl commented Mar 10, 2016

Certainly the error message could be better, which is hopefully addressed in

However, did you expect to work? It doesn't work in OpenSSL nor Chrome at least. I'm unsure whether this is something that reals sites would want to do, and thus should be supported, or whether our existing handshake message limit is still reasonable.

Copy link

CL mentions this issue.

Copy link

jvehent commented Mar 11, 2016

I don't think there is a valid use case for certificates that large (yet? ever?). I was essentially curious about Go's behavior shortly after the badssl site was setup. Thanks for fixing the error message 👍

@jvehent jvehent closed this as completed Mar 11, 2016
gopherbot pushed a commit that referenced this issue Mar 12, 2016
This change improves the error message when encountering a TLS handshake
message that is larger than our limit (64KB). Previously the error was
just “local error: internal error”.

Updates #13401.

Change-Id: I86127112045ae33e51079e3bc047dd7386ddc71a
Reviewed-by: Brad Fitzpatrick <>
Run-TryBot: Adam Langley <>
TryBot-Result: Gobot Gobot <>
@golang golang locked and limited conversation to collaborators Mar 13, 2017
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet

No branches or pull requests

4 participants