I have got a very basic app in Go, with the following code:
var client = &http.Client{
Timeout: time.Duration(30 * time.Second),
}
// skipped payload ...
response, err := client.Post(apiUrlLogin, contentType, &payload)
err returns with:
Post https://xxx/api/login: tls: failed to parse certificate from server:
asn1: structure error: base 128 integer too large
Go version is go version go1.10.2 darwin/amd64
The certificate is self issued (corporate), I tried making POST requests to the API with Curl and it worked fine.
The failure itself happens in Go during normal verification in crypto/tls/handshake_client.go:317 when calling x509.ParseCertificate(asn1Data) which happens before tls.Config.InsecureSkipVerify check.
Is there any possible workaround to this issue? I tried playing with TLS version, cipher suites etc with no luck and now have a sneaky suspicion that it could be a bug in Go.
UPDATE: as @ain mentioned it is a known issue and I didn't find any solution so far.
Yes, it is a known bug / limitation, see this issue.
Basically subidentifiers of OID can be of unlimited size but Go has chosen to use int to store them, ie 32bits per node. Your certificate has an OID in it which contains an node which can't be represented with 31 bits. As this is self issued certificate you might be able to use some other OID instead of the offending one.