From e99ee481a488de8ffc7ae526c3f5ecccdec864a0 Mon Sep 17 00:00:00 2001
From: Andrew Ayer <andrew@sslmate.com>
Date: Mon, 9 May 2016 15:46:14 -0700
Subject: [PATCH] Disable check of pre-cert poision value

Too many pre-certs in the logs with the wrong value :-(
---
 precerts.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/precerts.go b/precerts.go
index defd20a..9741e7c 100644
--- a/precerts.go
+++ b/precerts.go
@@ -77,9 +77,12 @@ func ValidatePrecert (precertBytes []byte, tbsBytes []byte) error {
 			if !precertExt.Critical {
 				return errors.New("pre-cert poison extension is not critical")
 			}
+			/* CAs can't even get this right, and Google's logs don't check.  Fortunately,
+			   it's not that important.
 			if !bytes.Equal(precertExt.Value, []byte{0x05, 0x00}) {
 				return errors.New("pre-cert poison extension contains incorrect value")
 			}
+			*/
 			precertHasPoison = true
 			continue
 		}