https://10000-sans.badssl.com is a test site that serves a certificate with 10,000 SAN records for the purpose of breaking TLS clients. Go is unable to open a connection to this site, and breaks with the error:
$ go run https_break.go
panic: Get https://10000-sans.badssl.com: local error: internal error
goroutine 1 [running]:
goroutine 17 [syscall, locked to thread]:
exit status 2
I would like for this to work, but I can understand Go refusing to open a connection with such an unusual certificate. If so, maybe the failure should be enforced by a policy and the error message explicit?
The text was updated successfully, but these errors were encountered:
changed the title
crypto/tls: internal error when connecting to site with abnormaly bit certificateNov 25, 2015
However, did you expect 10000-sans.badssl.com to work? It doesn't work in OpenSSL nor Chrome at least. I'm unsure whether this is something that reals sites would want to do, and thus should be supported, or whether our existing handshake message limit is still reasonable.
I don't think there is a valid use case for certificates that large (yet? ever?). I was essentially curious about Go's behavior shortly after the badssl site was setup. Thanks for fixing the error message 👍
This change improves the error message when encountering a TLS handshake
message that is larger than our limit (64KB). Previously the error was
just “local error: internal error”.
Reviewed-by: Brad Fitzpatrick <firstname.lastname@example.org>
Run-TryBot: Adam Langley <email@example.com>
TryBot-Result: Gobot Gobot <firstname.lastname@example.org>