Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: cannot parse Facebook cert #3731

gopherbot opened this issue Jun 13, 2012 · 4 comments

crypto/x509: cannot parse Facebook cert #3731

gopherbot opened this issue Jun 13, 2012 · 4 comments


Copy link

@gopherbot gopherbot commented Jun 13, 2012


I've been doing some work grabbing x509 certs out of SSL traffic and processing them. 
Recently, I've seen some certs from 2a03:2880:10:8f01:face:b00c:0:26 (facebook) that the
x509 package can't seem to process.  I'm not sure if this is because the cert is bad or
because there's an issue with the x509 package, but I thought I'd drop it here and see
if someone wants to take a look.

NOTE:  This is the 3rd cert served by facebook in the SSL handshake.  The first 2 alone
are enough to validate the certificate chain against a root CA.

NOTE 2:  I'm really unfamiliar with certificates myself, so I went no farther than
"It can't parse <sad face>".  It could be a very simple issue.

What steps will reproduce the problem?
If possible, include a link to a program on

What is the expected output?

I was hoping the x509 cert would parse.

What do you see instead?

X509 parsing error: ASN.1 structure error: tags don't match (16 vs {class:0 tag:1
length:0 isCompound:false}) {optional:false explicit:false application:false
defaultValue:<nil> tag:<nil> stringType:0 set:false omitEmpty:false}
AlgorithmIdentifier @945

Which compiler are you using (5g, 6g, 8g, gccgo)?


Which operating system are you using?


Which version are you using?  (run 'go version')

go version go1.0.1

Please provide any additional information below.
Copy link

@gopherbot gopherbot commented Jun 13, 2012

Comment 1 by

I've attached the pcap I got the certificate from.  I generated the pcap with:
sudo tcpdump -i eth0 host 2a03:2880:10:1f02:face:b00c:0:26 and port 443 -s 0 -w /tmp/fb
wget 'https://[2a03:2880:10:1f02:face:b00c:0:26]:443/' --no-check-certificate


  1. fb (7335 bytes)
Copy link

@rsc rsc commented Jun 13, 2012

Comment 2:

Labels changed: added priority-later, removed priority-triage.

Owner changed to @agl.

Status changed to Accepted.

Copy link

@agl agl commented Jun 13, 2012

Comment 4:

The certificate in the play link is actually corrupt: even OpenSSL won't parse it.
At 0x3b3 there's some bytes that don't make any sense. It should be the beginning of the
SignatureAlgorithm, but we get 01 00 95 00 81.

Status changed to WorkingAsIntended.

Copy link

@agl agl commented Jun 13, 2012

Comment 5:

And I know what caused this (it's not a Go bug). I'll email you directly because it's
not a public matter.
@golang golang locked and limited conversation to collaborators Jun 24, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.