Go https client issue - remote error: tls: handshake failure

ssl go https tls1.2

12,350

The server for some reason doesn't accept the TLS1.2 handshake, nor does it properly fall back to TLS1.1. You can force the client to use only TLS1.1 and the compatible cipher suites with

cfg := &tls.Config{
    CipherSuites: []uint16{
        tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
        tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    },
    PreferServerCipherSuites: true,
    InsecureSkipVerify:       true,
    MinVersion:               tls.VersionTLS11,
    MaxVersion:               tls.VersionTLS11,
}

12,350

Author by

Everton

SRE since 2016. Network engineer for 20+ years. Enjoy computer engineering in general. Find lots of fun in the Go Programming Language.

Updated on June 06, 2022

Comments

Everton almost 2 years
I am hitting this error 'remote error: tls: handshake failure':
```
~/go/bin/aci-tls 10.0.0.201 user pass
2016/12/20 18:12:04 post error: Post https://10.0.0.201/api/aaaLogin.json: remote error: tls: handshake failure
```
Code is basic HTTPS client: https://play.golang.org/p/cqPT0oR__q

OpenSSL is happy with this https server:
```
$ openssl s_client -connect 10.0.0.201:443

(snip)
SSL handshake has read 1383 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
(snip)
```
Tested on:
```
$ go version
go version go1.7.4 linux/386

C:\>go version
go version go1.7.4 windows/amd64
```
gotlsscan says:
```
lab@ubu:~$ go version
go version go1.8beta2 linux/386
lab@ubu:~$ ~/go/bin/gotlsscan -host 10.0.0.201 | grep -v NOT
Testing SSL30 (DISABLED)
Testing TLS1.0
Testing TLS1.1
Testing TLS1.2
lab@ubu:~$
lab@ubu:~$ ~/go/bin/gotlsscan -insecure -host 10.0.0.201 | grep -v NOT
Testing SSL30 (DISABLED)
Testing TLS1.0
Testing TLS1.1
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            [OK]
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            [OK]
Testing TLS1.2
```
How can I further troubleshoot this issue?
- JimB over 7 years
  
  What version of Go are you using? What is the server, and can you get any logs describing why the connection might have failed?
- Everton over 7 years
  
  go version go1.7.4 linux/386, server is Cisco APIC, have not found its logging related to HTTPS yet.
- JimB over 7 years
  
  you could try running github.com/jbardin/gotlsscan against the host (requires >go1.8beta, or build Go from master). It will run through all tls versions and ciphersuites and list what's compatible. It's possible that the server is doing something incorrectly, but a different suite or tls version might still work (IIS used to break the handshake with tls1.2 too)
- Everton over 7 years
  
  @JimB I have added result from gotlsscan into the question.
- JimB over 7 years
  
  That shows it does get a successful handshake with VersionTLS11 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, so I would configure the client to use those settings.
- Everton over 7 years
  
  @JimB Great! This is working: play.golang.org/p/oMrFigx-PT Post it as an answe so I can accept it! :-)
Alan Corey over 4 years

If you're using a router or WiFi AP, reboot it. There can be many causes of problems, that was it in my case.