I have a TLS server based on crypto/tls that has been serving TLS sessions 2+ years. But I ran into an issue with a bad client cert (generated by intune) where the URI in the SAN has the wrong format. The tls package fails the TLS handshake without giving the application a chance to intervene and ignore the bad URI. As a service, I’m not very picky about parts of the Cert that may not matter; I just want the TLS handshake to succeed and maybe emit a log about the bad field in the cert.
I’ve identified the exact place in x509/parser.go in function parseSANExtension where the check fails. I also tried to “fork” crypto/tls but it can’t be done because it imports “internal” packages that I don’t have access to.
Any way I can make progress here ?
Here’s a fork of the crypto/tls library that you could check out: GitHub - refraction-networking/utls: Fork of the Go standard TLS library, providing low-level access to the ClientHello for mimicry purposes.