net/http: tls verify error message make confused.

[xiekeyi98]

What version of Go are you using (go version)?

$ go version
go version go1.15.5 linux/amd64

Does this issue reproduce with the latest release?

yep.

What operating system and processor architecture are you using (go env)?

ubuntu@VM-0-6-ubuntu:~$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/ubuntu/.cache/go-build"
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/ubuntu/go"
GORACE=""
GOROOT="/usr/lib/go-1.10"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.10/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build235759783=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Run this golang program:

package main

import (
        "bytes"
        "encoding/json"

        "fmt"
        "io/ioutil"
        "net/http"
//      "crypto/tls"

        "time"
)

func PostJSONWithTimeout(
        urlString string,
        req interface{},
        timeout time.Duration,
) (body []byte, err error) {

        buffer := new(bytes.Buffer)
        json.NewEncoder(buffer).Encode(req)



        client := http.Client{
                Timeout: timeout,
                Transport: &http.Transport{
                        //TLSClientConfig:   &tls.Config{InsecureSkipVerify: true},
                        DisableKeepAlives: true},
        }
        resp, err := client.Post(urlString, "application/json", buffer)

        if err != nil {
                fmt.Printf("err:%v", err)
                return nil, err
        }

        defer resp.Body.Close()

        body, err = ioutil.ReadAll(resp.Body)
        if err != nil {
                fmt.Printf("error:%s", err.Error())
        } else {
                fmt.Printf("suc %s\n", string(body))
        }
        return body, nil
}

func main() {

        req := map[string]string{
                "appkey":        "",
                "encryptsecret": "",
                "firmacctid":    "tt",
        }

        PostJSONWithTimeout("https://firmacct.html5.qq.com/oauth2/get_sig", req, time.Hour)

}

Get Error :

ubuntu@VM-0-6-ubuntu:~$ ~/go/bin/go version && ~/go/bin/go run ./main2.go 
go version go1.15.5 linux/amd64
err:Post "https://firmacct.html5.qq.com/oauth2/get_sig": dial tcp: lookup firmacct.html5.qq.com: too many open files
ubuntu@VM-0-6-ubuntu:~$ ^C

But when I use the go 1.10.4

ubuntu@VM-0-6-ubuntu:~$ go version && go run ./main2.go 
go version go1.10.4 linux/amd64
suc {"ErrCode":-1004,"ErrMsg":"http postbody param empty","Sig":""}

Question

I am confused that why the error message is so strange?

I think he may have something to do with site credentials, but why is the error message so confusing?

[xiekeyi98]

When I use the InsecureSkipVerify , it ok .

ubuntu@VM-0-6-ubuntu:~$ cat ./main2.go  && go run ./main2.go 

package main

import (
        "bytes"
        "encoding/json"

        "fmt"
        "io/ioutil"
        "net/http"
        "crypto/tls"

        "time"
)

func PostJSONWithTimeout(
        urlString string,
        req interface{},
        timeout time.Duration,
) (body []byte, err error) {

        buffer := new(bytes.Buffer)
        json.NewEncoder(buffer).Encode(req)



        client := http.Client{
                Timeout: timeout,
                Transport: &http.Transport{
                        TLSClientConfig:   &tls.Config{InsecureSkipVerify: true},
                        DisableKeepAlives: true},
        }
        resp, err := client.Post(urlString, "application/json", buffer)

        if err != nil {
                fmt.Printf("err:%v", err)
                return nil, err
        }

        defer resp.Body.Close()

        body, err = ioutil.ReadAll(resp.Body)
        if err != nil {
                fmt.Printf("error:%s", err.Error())
        } else {
                fmt.Printf("suc %s\n", string(body))
        }
        return body, nil
}

func main() {

        req := map[string]string{
                "appkey":        "",
                "encryptsecret": "",
                "firmacctid":    "tt",
        }

        PostJSONWithTimeout("https://firmacct.html5.qq.com/oauth2/get_sig", req, time.Hour)

}


suc {"ErrCode":-1004,"ErrMsg":"http postbody param empty","Sig":""}

[xiekeyi98]

When I switch to another better server, it works on go1.15.5

but it took too many handles.

I think it may sth happened about http2.

[xiekeyi98]

Close this issue because maybe the server has sth wrong.

[xiekeyi98]

Test with CURL

ubuntu@VM-0-6-ubuntu:~$ curl https://firmacct.html5.qq.com/oauth2/get_sig" -vvI -XPOST
> ^C
ubuntu@VM-0-6-ubuntu:~$ curl https://firmacct.html5.qq.com/oauth2/get_sig -vvI -XPOST
*   Trying 121.51.19.218...
* TCP_NODELAY set
* Connected to firmacct.html5.qq.com (121.51.19.218) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=CN; ST=guangdong; L=shenzhen; O=Tencent Technology (Shenzhen) Company Limited; CN=*.jun04.sparta.3g.qq.com
*  start date: Jun 16 02:40:45 2020 GMT
*  expire date: Jun 17 02:40:45 2021 GMT
*  subjectAltName: host "firmacct.html5.qq.com" matched cert's "*.html5.qq.com"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Organization Validation CA - SHA256 - G2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55de1529a580)
> POST /oauth2/get_sig HTTP/2
> Host: firmacct.html5.qq.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200 
HTTP/2 200 
< server: nginx
server: nginx
< date: Sat, 21 Nov 2020 19:37:10 GMT
date: Sat, 21 Nov 2020 19:37:10 GMT
< content-type: application/json
content-type: application/json
< content-length: 64
content-length: 64

< 
* Excess found in a non pipelined read: excess = 64 url = /oauth2/get_sig (zero-length body)
* Connection #0 to host firmacct.html5.qq.com left intact
ubuntu@VM-0-6-ubuntu:~$ 


**it should return some JSON string**

ubuntu@VM-0-6-ubuntu:~$ curl https://firmacct.html5.qq.com/oauth2/get_sig  -XPOST
{"ErrCode":-1004,"ErrMsg":"http postbody param empty","Sig":""}



ubuntu@VM-0-6-ubuntu:~$ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL 
ubuntu@VM-0-6-ubuntu:~$