[b2600]

I don't know if comparing "bugs" from AV software and OSs is apples to apples. Also, goto followed by erroneous goto looks like an error (I know) but

"keys are generated, they're inserted using the first 32 bits of MD5(serialNumber||issuer) as the key. If a match is found for a key, they just pull the previously generated certificate and key out of the binary tree"

doesn't

[tptacek]

Why not? Caching certificate chains makes sense. Bad hash functions are the norm in systems code, not the exception.

[b2600]

I guess I'm reading these two examples as: 1. an extra goto and 2. a strategy dealing with creating an ssl store that uses a 32(!) bit key. I'm not implying malice but they seem fundamentally different type of errors.