Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
crypto/x509: Go should be lenient in parsing CRL Distribution Points that do not conform to RFC 5280 126.96.36.199 #23403
At minimum, the following 30 intermediate CA certificates do not encode their CRLs as per RFC 5280 188.8.131.52. Rather than being a sequence of DistributionPoints they are simply a sequence of a single sequence that is a flat list of URIs.
The effect of this is that any certificate that is encoded this way will only ever return a slice with, at most, one CRL URI in it.
I think blaming these certificates may be premature.
If not, I've uploaded an alternative fix.
Oh yeah, I see it now. I can back out my change in favor of yours, I think.
An interest side bit:
Which not all of these are doing - many are multiple HTTP, the first one being an example. But that is neither here-nor-there for this change.