3

Try get webpage:

    tr := &http.Transport{
        TLSHandshakeTimeout: 30 * time.Second,
        DisableKeepAlives: true,
    }

    client := &http.Client{Transport: tr}

    req, err := http.NewRequest("GET", "https://www.fl.ru/", nil)
    if err != nil {
        log.Fatalf("%s\n", err);
    }

    resp, err := client.Do(req);
    if err != nil {
        log.Fatalf("%s\n", err);
    }
    defer resp.Body.Close()

Get https://www.fl.ru/: remote error: handshake failure.

If I try to get another HTTPS page - all is OK.

Nikolay
  • 41
  • 1
  • 6

1 Answers1

7

That server only supports a few, weak ciphers:

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK
TLS_RSA_WITH_RC4_128_SHA (0x5)   WEAK

If you really must connect to that server, Go does support the last cipher in the list, but not by default. Create a client with a new tls.Config specifying the cipher you want:

t := &http.Transport{
    Proxy: http.ProxyFromEnvironment,
    Dial: (&net.Dialer{
        Timeout:   30 * time.Second,
        KeepAlive: 30 * time.Second,
    }).Dial,
    TLSHandshakeTimeout: 10 * time.Second,
    TLSClientConfig: &tls.Config{
        CipherSuites: []uint16{tls.TLS_RSA_WITH_RC4_128_SHA},
    },
}
JimB
  • 104,193
  • 13
  • 262
  • 255
  • This is cool. Could you share how did you debug this? Also, any idea why it might've worked in 1.4.2 and broke in 1.5? – Ainar-G Sep 11 '15 at 13:13
  • 2
    @Ainar-G: RC4 is has been disabled because it's very weak, and now prohibited: https://tools.ietf.org/html/rfc7465. – JimB Sep 11 '15 at 13:19
  • 2
    @Ainar-G: re debugging; a common cause of handshake failures is when there are no shared ciphers, so I look up what the server supports, and check those with the constants defined in crypto/tls. (I also check if the server even supports tls1.1, tls1.2, etc. Go1.5 is a little better at falling back for misbehaving servers now, so it tends to be more forgiving) – JimB Sep 11 '15 at 13:21
  • @JimB Thank you! Exactly what is needed. How can you check the supported protocols? – Nikolay Sep 11 '15 at 13:28
  • 2
    @Nikolay: the easiest way is https://www.ssllabs.com/. You can also script it with any tls client, plus some other methods mentioned here: http://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers, – JimB Sep 11 '15 at 13:33