The URL in question loads properly on Windows, Safari, and Chrome 58.3029 on Mac. It doesn't /seem/ to use GOST as in  Issue 713147 .

Also reproduces with a different certificate from the same CA: https://www.tim.it/

The X509 lint on CRT.SH notes " WARNING: Policy information has qualifier other than CPS URI "

 Policy Identifier=1.3.76.33.1.1.30.1.2.1
     [2,1]Policy Qualifier Info:
          Policy Qualifier Id=User Notice
          Qualifier:
               Notice Text=X.509 SSL Server Authentication Organization

... but I don't know if that's problematic?

This appears to be a general problem with many, but not all certificates (e.g. https://www.boffi.com works fine, and also contains the qualifier mentioned in #2) from this CA.

https://crt.sh/?Identity=%25&iCAID=1453

The certificate has a 21 byte long serial number, RFC 5280 requires serial numbers to be 20 bytes or less.

This cert has the case where the serial appears at first glance to be 20 bytes, but it has to be encoded with a leading 0 byte due to the asn.1 two's complement integer encoding. (If it didn't have the leading 0 byte, it would be a negative number, and 5280 requires serial number to be positive.)

INTEGER { `00d6e7302716b1f274c45136b17ca3de2769aab568` }

Deleted: timvision.it.der2ascii.txt 7.1 KB

timvision.it.der2ascii.txt 7.1 KB View Download

Deleted: timvision.it.chain.pem 12.2 KB

timvision.it.chain.pem 12.2 KB Download

We have an option to parse certificates while allowing invalid version numbers (allow_invalid_serial_numbers). If this is widespread may consider enabling that here.

Do we have data that would allow us to decide whether this needs Release-Block tags? 

Looking at Mac, it looks like Canary has around 0.005% of main frame loads failing with this error (It's been going down, with a high of about 0.007% of loads failing), and subframes had a high of 0.015% of loads failing with this error, but has since decreased to 0.005%.  The timelines for when the peak was are different for main frames and subresources, curiously.

Main frame failues on dev have gone from 0.006% down to 0.001% over the past couple weeks, but subresource failures on dev have just reached a peak of 0.015% (Like it was on Canary), but that looks like it's started decreasing, just like it did on Canary.

(And those numbers are as a portion of all page loads - i.e., they include chrome URLs and the like)

The decreasing error rates is going to be due to the fix for  issue 717905 , so you'll need to limit to versions >=60.0.3091.0 or >=59.0.3071.47 for beta. (And ERR_SSL_SERVER_CERT_BAD_FORMAT can be caused by other things as well, so it's an upper bound.)
Limiting by versions above, the Net.SSL_Connection_Error rate for SSL_SERVER_CERT_BAD_FORMAT on beta is 0.01% and 0.07% on dev/canary)


That said, current plan is to make & merge a CL to use the allow_invalid_serial_numbers flag for now, and revisit the invalid serial number certs with a more formal deprecation plan some time later.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/312644de1876bf9eb520f4cfaef5f51eae1dfaf2

commit 312644de1876bf9eb520f4cfaef5f51eae1dfaf2
Author: mattm <mattm@chromium.org>
Date: Tue May 16 08:13:18 2017

X509CertificateBytes: Allow invalid serial numbers for now.

BUG= 721778 

Review-Url: https://codereview.chromium.org/2881023003
Cr-Commit-Position: refs/heads/master@{#472040}

[modify] https://crrev.com/312644de1876bf9eb520f4cfaef5f51eae1dfaf2/net/BUILD.gn
[modify] https://crrev.com/312644de1876bf9eb520f4cfaef5f51eae1dfaf2/net/cert/internal/parse_certificate_unittest.cc
[modify] https://crrev.com/312644de1876bf9eb520f4cfaef5f51eae1dfaf2/net/cert/internal/parsed_certificate_unittest.cc
[modify] https://crrev.com/312644de1876bf9eb520f4cfaef5f51eae1dfaf2/net/cert/x509_certificate_bytes.cc
[modify] https://crrev.com/312644de1876bf9eb520f4cfaef5f51eae1dfaf2/net/cert/x509_certificate_unittest.cc
[add] https://crrev.com/312644de1876bf9eb520f4cfaef5f51eae1dfaf2/net/data/parse_certificate_unittest/serial_37_bytes.pem
[add] https://crrev.com/312644de1876bf9eb520f4cfaef5f51eae1dfaf2/net/data/parse_certificate_unittest/serial_negative.pem
[add] https://crrev.com/312644de1876bf9eb520f4cfaef5f51eae1dfaf2/net/data/parse_certificate_unittest/serial_zero_padded.pem
[add] https://crrev.com/312644de1876bf9eb520f4cfaef5f51eae1dfaf2/net/data/parse_certificate_unittest/serial_zero_padded_21_bytes.pem
[delete] https://crrev.com/55085162c036ab80c4392d24cca15c28d7456848/net/data/parse_certificate_unittest/tbs_negative_serial_number.pem
[delete] https://crrev.com/55085162c036ab80c4392d24cca15c28d7456848/net/data/parse_certificate_unittest/tbs_serial_number_21_octets_leading_0.pem
[delete] https://crrev.com/55085162c036ab80c4392d24cca15c28d7456848/net/data/parse_certificate_unittest/tbs_serial_number_26_octets.pem
[modify] https://crrev.com/312644de1876bf9eb520f4cfaef5f51eae1dfaf2/net/data/parse_certificate_unittest/v3_certificate_template.txt

 Issue 719598  has been merged into this issue.

Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3ba70668b65f4c0ce92b7f50602289cc018b24d6

commit 3ba70668b65f4c0ce92b7f50602289cc018b24d6
Author: Matt Mueller <mattm@chromium.org>
Date: Thu May 18 19:26:22 2017

X509CertificateBytes: Allow invalid serial numbers for now.

BUG= 721778 

Review-Url: https://codereview.chromium.org/2881023003
Cr-Original-Commit-Position: refs/heads/master@{#472040}
Review-Url: https://codereview.chromium.org/2897433002 .
Cr-Commit-Position: refs/branch-heads/3071@{#619}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[modify] https://crrev.com/3ba70668b65f4c0ce92b7f50602289cc018b24d6/net/BUILD.gn
[modify] https://crrev.com/3ba70668b65f4c0ce92b7f50602289cc018b24d6/net/cert/internal/parse_certificate_unittest.cc
[modify] https://crrev.com/3ba70668b65f4c0ce92b7f50602289cc018b24d6/net/cert/internal/parsed_certificate_unittest.cc
[modify] https://crrev.com/3ba70668b65f4c0ce92b7f50602289cc018b24d6/net/cert/x509_certificate_bytes.cc
[modify] https://crrev.com/3ba70668b65f4c0ce92b7f50602289cc018b24d6/net/cert/x509_certificate_unittest.cc
[add] https://crrev.com/3ba70668b65f4c0ce92b7f50602289cc018b24d6/net/data/parse_certificate_unittest/serial_37_bytes.pem
[add] https://crrev.com/3ba70668b65f4c0ce92b7f50602289cc018b24d6/net/data/parse_certificate_unittest/serial_negative.pem
[add] https://crrev.com/3ba70668b65f4c0ce92b7f50602289cc018b24d6/net/data/parse_certificate_unittest/serial_zero_padded.pem
[add] https://crrev.com/3ba70668b65f4c0ce92b7f50602289cc018b24d6/net/data/parse_certificate_unittest/serial_zero_padded_21_bytes.pem
[delete] https://crrev.com/0d69d41d678586c4532ec91a3792a348803ed855/net/data/parse_certificate_unittest/tbs_negative_serial_number.pem
[delete] https://crrev.com/0d69d41d678586c4532ec91a3792a348803ed855/net/data/parse_certificate_unittest/tbs_serial_number_21_octets_leading_0.pem
[delete] https://crrev.com/0d69d41d678586c4532ec91a3792a348803ed855/net/data/parse_certificate_unittest/tbs_serial_number_26_octets.pem
[modify] https://crrev.com/3ba70668b65f4c0ce92b7f50602289cc018b24d6/net/data/parse_certificate_unittest/v3_certificate_template.txt

Verified this issue on Mac 10.12.4 using chrome latest dev M59 #59.0.3071.71 by following steps mentioned in the original comment. 

Able to reach the mentioned pages. Hence adding the TE- Verified label

Please refer the screen cast

Thanks,

Deleted: May 24 2017 2-09 PM.webm 4.3 MB

	May 24 2017 2-09 PM.webm 4.3 MB View Download

Correction
===========

Verified issue on latest Beta M59 #59.0.3071.71.

Thanks!