Verify panics on certificates with an unknown public key algorithm in crypto/x509

GO-2024-2598 · BIT-golang-2024-24783 · CVE-2024-24783

Published Mar 5, 2024 · Modified Feb 4, 2026

Description

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.

This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

References

REPORT https://go.dev/issue/65390
FIX https://go.dev/cl/569339
WEB https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes