Skip to content

/go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: ListenAndServeTLS closing connection to IE10 and IE11 when only TLSv1.0 is permitted #17285

Closed
kmckelvin opened this issue Sep 29, 2016 · 3 comments

Comments

Assignees
No one assigned
Labels
FrozenDueToAge WaitingForInfo
Projects
None yet
Milestone
No milestone
3 participants
@kmckelvin @bradfitz @gopherbot
@kmckelvin
Copy link

commented Sep 29, 2016

What version of Go are you using (go version)?

go version go1.7.1 linux/amd64

This also occurred on go1.6.1.

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/kevin/go"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build495107859=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

What did you do?

A Go executable serving on port 443 using

http.ListenAndServeTLS(":443", sslConfig.CertFilePath, sslConfig.KeyFilePath, handler)

We haven't made any specific TLS changes.

What did you expect to see?

When making a HTTPS request to the running server it should have responded with the 200 OK response.

What did you see instead?

When connecting from a Windows machine with SSL 2.0, SSL 3.0 and TLS 1.0 enabled as follows -
image

IE10+ fails to connect to the server over HTTPS
image

I've noticed that Caddy-based servers have the same problem. TLS1.0 shows as enabled when analyzing our SSL config through ssllabs.com

  • Disabling SSL 2.0 and SSL 3.0 in Windows settings, so that only TLS1.0 is enabled, works.
  • Enabling any later version of TLS (1.1 or 1.2) alongside SSLv2 and SSLv3 works.

It's just this one config set that seems to have a problem connecting to Go's HTTP stack (it has no problem connecting to an equivalently configured nginx instance for example, over TLS1.0).

(Yes it's crazy to have TLS1.1 and 1.2 disabled, but corporates be corporates and I can't fix their security policies)
@bradfitz

This comment has been minimized.

Sign in to view
Copy link
Member

commented Sep 29, 2016

Are you using HTTP/2?

If so, HTTP/2 requires TLS 1.2 (http://httpwg.org/specs/rfc7540.html#rfc.section.9.2).

The only thing I can think of is that you're getting into the HTTP/2 path and it's rejecting it there.

But please collect more logs. What does Go say? Any error logs reported?

@bradfitz bradfitz added the WaitingForInfo label Sep 29, 2016

@bradfitz bradfitz changed the title net/http - ListenAndServeTLS closing connection to IE10 and IE11 when only TLSv1.0 is permitted net/http: ListenAndServeTLS closing connection to IE10 and IE11 when only TLSv1.0 is permitted Sep 29, 2016

@kmckelvin

This comment has been minimized.

Sign in to view
Copy link
Author

commented Sep 29, 2016

@bradfitz yes we're using HTTP/2, but we haven't done anything to disable HTTP/1.1, and it works when only TLS1.1 is enabled instead of TLS 1.0.

I'm picking this up from the logs

2016/09/29 17:34:37 http: TLS handshake error from 10.142.0.3:53817: tls: unsupported SSLv2 handshake received
2016/09/29 17:34:37 http: TLS handshake error from 10.142.0.2:53818: tls: unsupported SSLv2 handshake received
2016/09/29 17:34:37 http: TLS handshake error from 10.142.0.3:53819: tls: unsupported SSLv2 handshake received
2016/09/29 17:34:37 http: TLS handshake error from 10.12.5.1:53820: tls: unsupported SSLv2 handshake received
2016/09/29 17:34:37 http: TLS handshake error from 10.142.0.4:53821: tls: unsupported SSLv2 handshake received
2016/09/29 17:34:37 http: TLS handshake error from 10.142.0.2:53822: tls: unsupported SSLv2 handshake received
@bradfitz

This comment has been minimized.

Sign in to view
Copy link
Member

commented Sep 29, 2016

Oh, this is a dup of #3930 and #3677.

Sorry, this isn't going to be fixed. See decision in https://golang.org/cl/20094 and #3930

@bradfitz bradfitz closed this Sep 29, 2016

@golang golang locked and limited conversation to collaborators Sep 29, 2017

@gopherbot gopherbot added the FrozenDueToAge label Sep 29, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.