Golang http client handshake failure
7
That server only supports a few, weak ciphers:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK
If you really must connect to that server, Go does support the last cipher in the list, but not by default. Create a client with a new tls.Config specifying the cipher you want:
t := &http.Transport{
Proxy: http.ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).Dial,
TLSHandshakeTimeout: 10 * time.Second,
TLSClientConfig: &tls.Config{
CipherSuites: []uint16{tls.TLS_RSA_WITH_RC4_128_SHA},
},
}
This is cool. Could you share how did you debug this? Also, any idea why it might've worked in 1.4.2 and broke in 1.5? – Ainar-G Sep 11 '15 at 13:13
2
@Ainar-G: RC4 is has been disabled because it's very weak, and now prohibited: tools.ietf.org/html/rfc7465. – JimB Sep 11 '15 at 13:19
2
@Ainar-G: re debugging; a common cause of handshake failures is when there are no shared ciphers, so I look up what the server supports, and check those with the constants defined in crypto/tls. (I also check if the server even supports tls1.1, tls1.2, etc. Go1.5 is a little better at falling back for misbehaving servers now, so it tends to be more forgiving) – JimB Sep 11 '15 at 13:21
@JimB Thank you! Exactly what is needed. How can you check the supported protocols? – Nikolay Sep 11 '15 at 13:28
1
@Nikolay: the easiest way is ssllabs.com. You can also script it with any tls client, plus some other methods mentioned here: superuser.com/questions/109213/…, – JimB Sep 11 '15 at 13:33
