-
-
Notifications
You must be signed in to change notification settings - Fork 15.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL hanshake failure #5859
Comments
Additional comment: issue doesn't happen with ACH1 that runs on Netty 3 instead of 4.0. |
Will check |
Thanks. I had a quick look at the ssl debug log, it looked like the engine wasn't getting fed enough bytes. Sadly, I won't be able to investigate myself for quite some time :( |
I think it may be a server issue. Your example is able to connect to other well known hosts without issue. Also openssl's s_client also detects an error:
|
But I have no problem with Chrome, Firefox and curl. |
@Scottmitch Actually, you could be right. I forced SSLEngine to use the same cipher suite as curl, |
So can we close this one ?
|
@slandelle This issue is indeed caused by the servers of CloudFlare, because they only support the following Cipher Suites:
This test result is reported by ssllabs. |
I will close for now @slandelle please re-open if you feel there is a Netty component to this issue. |
Honestly, it bugs me that Netty fails by default where other user-agents (tested with Chrome, FireFox and curl) succeed.
CloudFlare supports none of them. Is there a good reason for Netty to be more strict than the rest of the world when it comes to cipher suites, and in the end, not be compatible? Why is |
@normanmaurer Is it possible for netty to support more cipher suites? |
AFAIK there is no reason why we can't add a few more cipher suites to the default set. It has been a while since we have re-visited this. Any objections to the following approach for starters:
and removing (older cipher using 3des):
|
Just to clarify @joymufeng you are free (and generally encouraged if your use case requires it) to specify your own list of ciphers via SslContextBuilder#cihpers(..). |
@Scottmitch Great! Thanks for reminding! |
Motivation: Our default cipher list has not been updated in a while. We current support some older ciphers not commonly in use and we don't support some newer ciphers which are more commonly used. Modifications: - Update the default list of ciphers for JDK and OpenSSL. Result: Default cipher list is more likely to connect to peers. Fixes netty#5859
Motivation: Our default cipher list has not been updated in a while. We current support some older ciphers not commonly in use and we don't support some newer ciphers which are more commonly used. Modifications: - Update the default list of ciphers for JDK and OpenSSL. Result: Default cipher list is more likely to connect to peers. Fixes #5859
Motivation: Our default cipher list has not been updated in a while. We current support some older ciphers not commonly in use and we don't support some newer ciphers which are more commonly used. Modifications: - Update the default list of ciphers for JDK and OpenSSL. Result: Default cipher list is more likely to connect to peers. Fixes #5859
Motivation: Our default cipher list has not been updated in a while. We current support some older ciphers not commonly in use and we don't support some newer ciphers which are more commonly used. Modifications: - Update the default list of ciphers for JDK and OpenSSL. Result: Default cipher list is more likely to connect to peers. Fixes netty#5859
Motivation: Our default cipher list has not been updated in a while. We current support some older ciphers not commonly in use and we don't support some newer ciphers which are more commonly used. Modifications: - Update the default list of ciphers for JDK and OpenSSL. Result: Default cipher list is more likely to connect to peers. Fixes netty#5859
Hi there,
Please consider this sample.
It always crashes when trying to connect to "https://netty.io".
Issue was originally reported against AHC, see AsyncHttpClient/async-http-client#1252.
It doesn't seem to be actually related to SNI, as the sample works fine against "https://github.com" that has SNI enabled too.
Am I missing something?
Regards
The text was updated successfully, but these errors were encountered: