Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: remote error: handshake failure #9446

Closed
webluoye opened this issue Dec 26, 2014 · 10 comments
Closed

crypto/tls: remote error: handshake failure #9446

webluoye opened this issue Dec 26, 2014 · 10 comments
Labels
FrozenDueToAge
Milestone
Go1.5Maybe

Comments

@webluoye
Copy link

go version:1.4
connect to server with ssl get error msg "remote error: handshake failure"

code:
ipConn, err := net.DialTCP("tcp", ladd, radd)
conn := tls.Client(ipConn, tlsconfig)
hsErr := conn.Handshake()

use openssl is ok
openssl s_client -connect ote1.dotasia.net:700 -cert certs/crt -key certs/key -showcerts -state

Key-Arg   : None
Krb5 Principal: None
Start Time: 1419581515
Timeout   : 300 (sec)
Verify return code: 0 (ok)
@minux
Copy link
Member

minux commented Dec 26, 2014

If the server requires client certificate, have you set your tlsconfig
correctly?
Please show more of your code.

@webluoye
Copy link
Author

cert, err := tls.LoadX509KeyPair(eppConfig.crtPath, eppConfig.keyPath)
printLog("loadcert errors", err)
tlsConfig = tls.Config{Certificates: []tls.Certificate{cert}, ClientAuth: tls.VerifyClientCertIfGiven, InsecureSkipVerify: true}
ladd, lerr := net.ResolveTCPAddr("tcp", eppConfig.LocalIp+":0")
printLog("bind local ip error", lerr)
radd, rerr := net.ResolveTCPAddr("tcp", eppConfig.server+":"+eppConfig.port)
printLog("connect to server error", rerr)
return ladd, radd, tlsConfig

@mikioh mikioh changed the title tls:remote error: handshake failure crypto/tls: remote error: handshake failure Dec 26, 2014
@quipo
Copy link

quipo commented Jan 7, 2015

Reproducing script:

package main

import (
    "crypto/tls"
    "fmt"
    "net"
)

func resolve(u string) {
    dialer := new(net.Dialer)
    rawConn, err := dialer.Dial("tcp", u)
    if err != nil {
        fmt.Println("failed to dial: ", err.Error())
        return
    }
    config := &tls.Config{InsecureSkipVerify: true}
    conn := tls.Client(rawConn, config)
    fmt.Println(u, conn.Handshake())
    conn.Close()
}

func main() {
    failingUrls := []string{
        "www.vineclient.com:443",
        "www.freespeech.org:443",
        "www.visa.go.kr:443",
        "pressroom.turner.com:443",
        "robertsspaceindustries.com:443",
    }
    for _, u := range failingUrls {
        resolve(u)
    }
}

@quipo
Copy link

quipo commented Jan 7, 2015

Reproducing script using an http client directly:

package main

import (
    "crypto/tls"
    "fmt"
    "net/http"
    "time"
)

func resolve(u string) {
    transport := &http.Transport{
        MaxIdleConnsPerHost: 250,
        TLSClientConfig: &tls.Config{
            InsecureSkipVerify: true,
        },
    }
    client := http.Client{
        Transport: transport,
        Timeout:   15 * time.Second,
    }

    fmt.Println(client.Get(u))
}

func main() {
    failingUrls := []string{
        "https://www.vineclient.com",
        "https://www.freespeech.org",
        "https://www.visa.go.kr",
        "https://pressroom.turner.com",
        "https://robertsspaceindustries.com",
    }
    for _, u := range failingUrls {
        resolve(u)
    }
}

@ebfe
Copy link
Contributor

ebfe commented Jan 7, 2015

www.vineclient.com:443 seems to only accept TLS_DHE_* ciphersuites
pressroom.turner.com:443 seems to only accept TLS_RSA_WITH_RC4_128_MD5

These ciphersuites are not available in crypto/tls.

@bradfitz
Copy link
Contributor

bradfitz commented Jan 7, 2015

@agl, should crypto/tls return more details than just "remote error: handshake failure" ?

@agl
Copy link
Contributor

agl commented Jan 7, 2015

"remote error: handshake failure" means that the peer sent us a numeric error code that means "handshake error". In this case we don't have any additional information to return even if we wanted to.

@rsc rsc added this to the Go1.5Maybe milestone Apr 10, 2015
@rsc
Copy link
Contributor

rsc commented Jul 14, 2015

It doesn't sound like there's much we can do about this.
These servers don't like our client and they don't tell us why.
It's unfortunate.

@rsc rsc closed this as completed Jul 14, 2015
@quipo
Copy link

quipo commented Jul 14, 2015

well, the problem seems to be a difference in supported ciphersuites between the client and the server (see @ebfe's comment above).

It might get solved once the missing ciphersuites are available in crypto/tls.

@webluoye
Copy link
Author

go 1.5 test ok

@golang golang locked and limited conversation to collaborators Sep 4, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.5Maybe
Development

No branches or pull requests
8 participants
@bradfitz @agl @rsc @minux @quipo @ebfe @webluoye @gopherbot