Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: internal error when connecting to site with abnormaly large certificate #13401

Closed
jvehent opened this issue Nov 25, 2015 · 4 comments
Closed
Assignees
Milestone

Comments

@jvehent
Copy link

@jvehent jvehent commented Nov 25, 2015

https://10000-sans.badssl.com is a test site that serves a certificate with 10,000 SAN records for the purpose of breaking TLS clients. Go is unable to open a connection to this site, and breaks with the error:

$ go run https_break.go 
panic: Get https://10000-sans.badssl.com: local error: internal error

goroutine 1 [running]:
main.main()
    /home/ulfr/git/go-toybox/https_break.go:8 +0x6e

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
    /usr/lib/go/src/runtime/asm_amd64.s:1696 +0x1
exit status 2

Source code is

package main

import "net/http"

func main() {
    _, err := http.Get("https://10000-sans.badssl.com")
    if err != nil {
        panic(err)
    }
}

I would like for this to work, but I can understand Go refusing to open a connection with such an unusual certificate. If so, maybe the failure should be enforced by a policy and the error message explicit?

@jvehent jvehent changed the title crypto/tls: internal error when connecting to site with abnormaly bit certificate crypto/tls: internal error when connecting to site with abnormaly large certificate Nov 25, 2015
@rsc

This comment has been minimized.

Copy link
Contributor

@rsc rsc commented Dec 28, 2015

/cc @agl

@rsc rsc added this to the Go1.7 milestone Dec 28, 2015
@agl agl self-assigned this Dec 28, 2015
@agl

This comment has been minimized.

Copy link
Contributor

@agl agl commented Mar 10, 2016

Certainly the error message could be better, which is hopefully addressed in https://go-review.googlesource.com/#/c/20547/.

However, did you expect 10000-sans.badssl.com to work? It doesn't work in OpenSSL nor Chrome at least. I'm unsure whether this is something that reals sites would want to do, and thus should be supported, or whether our existing handshake message limit is still reasonable.

@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Mar 10, 2016

CL https://golang.org/cl/20547 mentions this issue.

@jvehent

This comment has been minimized.

Copy link
Author

@jvehent jvehent commented Mar 11, 2016

I don't think there is a valid use case for certificates that large (yet? ever?). I was essentially curious about Go's behavior shortly after the badssl site was setup. Thanks for fixing the error message 👍

@jvehent jvehent closed this Mar 11, 2016
gopherbot pushed a commit that referenced this issue Mar 12, 2016
This change improves the error message when encountering a TLS handshake
message that is larger than our limit (64KB). Previously the error was
just “local error: internal error”.

Updates #13401.

Change-Id: I86127112045ae33e51079e3bc047dd7386ddc71a
Reviewed-on: https://go-review.googlesource.com/20547
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
@golang golang locked and limited conversation to collaborators Mar 13, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.