Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: remote error: handshake failure #9446

Closed
webluoye opened this issue Dec 26, 2014 · 10 comments
Closed

crypto/tls: remote error: handshake failure #9446

webluoye opened this issue Dec 26, 2014 · 10 comments
Milestone

Comments

@webluoye
Copy link

@webluoye webluoye commented Dec 26, 2014

go version:1.4
connect to server with ssl get error msg "remote error: handshake failure"

code:
ipConn, err := net.DialTCP("tcp", ladd, radd)
conn := tls.Client(ipConn, tlsconfig)
hsErr := conn.Handshake()

use openssl is ok
openssl s_client -connect ote1.dotasia.net:700 -cert certs/crt -key certs/key -showcerts -state

Key-Arg   : None
Krb5 Principal: None
Start Time: 1419581515
Timeout   : 300 (sec)
Verify return code: 0 (ok)
@minux

This comment has been minimized.

Copy link
Member

@minux minux commented Dec 26, 2014

If the server requires client certificate, have you set your tlsconfig
correctly?
Please show more of your code.

@webluoye

This comment has been minimized.

Copy link
Author

@webluoye webluoye commented Dec 26, 2014

cert, err := tls.LoadX509KeyPair(eppConfig.crtPath, eppConfig.keyPath)
printLog("loadcert errors", err)
tlsConfig = tls.Config{Certificates: []tls.Certificate{cert}, ClientAuth: tls.VerifyClientCertIfGiven, InsecureSkipVerify: true}
ladd, lerr := net.ResolveTCPAddr("tcp", eppConfig.LocalIp+":0")
printLog("bind local ip error", lerr)
radd, rerr := net.ResolveTCPAddr("tcp", eppConfig.server+":"+eppConfig.port)
printLog("connect to server error", rerr)
return ladd, radd, tlsConfig

@mikioh mikioh changed the title tls:remote error: handshake failure crypto/tls: remote error: handshake failure Dec 26, 2014
@quipo

This comment has been minimized.

Copy link

@quipo quipo commented Jan 7, 2015

Reproducing script:

package main

import (
    "crypto/tls"
    "fmt"
    "net"
)

func resolve(u string) {
    dialer := new(net.Dialer)
    rawConn, err := dialer.Dial("tcp", u)
    if err != nil {
        fmt.Println("failed to dial: ", err.Error())
        return
    }
    config := &tls.Config{InsecureSkipVerify: true}
    conn := tls.Client(rawConn, config)
    fmt.Println(u, conn.Handshake())
    conn.Close()
}

func main() {
    failingUrls := []string{
        "www.vineclient.com:443",
        "www.freespeech.org:443",
        "www.visa.go.kr:443",
        "pressroom.turner.com:443",
        "robertsspaceindustries.com:443",
    }
    for _, u := range failingUrls {
        resolve(u)
    }
}
@quipo

This comment has been minimized.

Copy link

@quipo quipo commented Jan 7, 2015

Reproducing script using an http client directly:

package main

import (
    "crypto/tls"
    "fmt"
    "net/http"
    "time"
)

func resolve(u string) {
    transport := &http.Transport{
        MaxIdleConnsPerHost: 250,
        TLSClientConfig: &tls.Config{
            InsecureSkipVerify: true,
        },
    }
    client := http.Client{
        Transport: transport,
        Timeout:   15 * time.Second,
    }

    fmt.Println(client.Get(u))
}

func main() {
    failingUrls := []string{
        "https://www.vineclient.com",
        "https://www.freespeech.org",
        "https://www.visa.go.kr",
        "https://pressroom.turner.com",
        "https://robertsspaceindustries.com",
    }
    for _, u := range failingUrls {
        resolve(u)
    }
}
@ebfe

This comment has been minimized.

Copy link
Contributor

@ebfe ebfe commented Jan 7, 2015

www.vineclient.com:443 seems to only accept TLS_DHE_* ciphersuites
pressroom.turner.com:443 seems to only accept TLS_RSA_WITH_RC4_128_MD5

These ciphersuites are not available in crypto/tls.

@bradfitz

This comment has been minimized.

Copy link
Contributor

@bradfitz bradfitz commented Jan 7, 2015

@agl, should crypto/tls return more details than just "remote error: handshake failure" ?

@agl

This comment has been minimized.

Copy link
Contributor

@agl agl commented Jan 7, 2015

"remote error: handshake failure" means that the peer sent us a numeric error code that means "handshake error". In this case we don't have any additional information to return even if we wanted to.

@rsc rsc added this to the Go1.5Maybe milestone Apr 10, 2015
@rsc

This comment has been minimized.

Copy link
Contributor

@rsc rsc commented Jul 14, 2015

It doesn't sound like there's much we can do about this.
These servers don't like our client and they don't tell us why.
It's unfortunate.

@rsc rsc closed this Jul 14, 2015
@quipo

This comment has been minimized.

Copy link

@quipo quipo commented Jul 14, 2015

well, the problem seems to be a difference in supported ciphersuites between the client and the server (see @ebfe's comment above).

It might get solved once the missing ciphersuites are available in crypto/tls.

@webluoye

This comment has been minimized.

Copy link
Author

@webluoye webluoye commented Aug 27, 2015

go 1.5 test ok

@golang golang locked and limited conversation to collaborators Sep 4, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants
You can’t perform that action at this time.