Skip to content

crypto/tls: https request, tls handshake failure in go1.22 #66512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
chenghonour opened this issue Mar 25, 2024 · 3 comments
Closed

crypto/tls: https request, tls handshake failure in go1.22 #66512

chenghonour opened this issue Mar 25, 2024 · 3 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.

Comments

@chenghonour
Copy link

chenghonour commented Mar 25, 2024
edited
Loading

Go version

go version go1.22.1 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/root/.cache/go-build'
GOENV='/root/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.1'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='0'
GOMOD='/code/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1985924870=/tmp/go-build -gno-record-gcc-switches'

What did you do?

package main

import (
	"crypto/tls"
	"fmt"
	"net/http"
)

func main() {
	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}

	resp, err := http.Get("https://www.scort.cn")
	if err != nil {
		panic(err)
	}
	fmt.Println("status:", resp.Status)
}

What did you see happen?

panic: Get "https://www.scort.cn": remote error: tls: handshake failure

What did you expect to see?

status: 200

In versions go1.21 and earlier, this success result is returned. But it returned an error in version go1.22
@dr2chase
Copy link
Contributor

@golang/security

This seems to depend on the https host I am trying to connect to. I tried this connecting to a google.com and it worked okay.

@dr2chase dr2chase added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 25, 2024
@chenghonour
Copy link
Author

I found the tls.Config CipherSuite parameter description in the source code, which may be related to the issue.
In Go 1.22 RSA key exchange based cipher suites were removed from the default list, but can be re-added with the GODEBUG setting tlsrsakex=1.

@shmsr shmsr mentioned this issue Jul 15, 2024
Merged
4 tasks
@gabyhelp gabyhelp mentioned this issue Jul 19, 2024
Closed
@john8329
Copy link

john8329 commented Aug 8, 2024
edited
Loading

Apologies for commenting on a closed issue, but it might help to manually specify ciphers instead of using the GODEBUG setting

Config := &tls.Config{
	CipherSuites: []uint16{
		// TLS 1.0 - 1.2 cipher suites.
		tls.TLS_RSA_WITH_RC4_128_SHA,
		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
		tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
		tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
		// TLS 1.3 cipher suites.
		tls.TLS_AES_128_GCM_SHA256,
		tls.TLS_AES_256_GCM_SHA384,
		tls.TLS_CHACHA20_POLY1305_SHA256,
	},
}
httpClient = &http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}}

@JB0925 JB0925 mentioned this issue Dec 17, 2024
Closed
@petoju petoju mentioned this issue Jan 13, 2025
Open
@mouglou mouglou mentioned this issue Jan 13, 2025
Open
ll4strw added a commit to ll4strw/rclone that referenced this issue Feb 21, 2025
@ll4strw
SSL works
489dbca 
NB: go 1.22.0 does not accept TLS1.2 ciphers
See:
golang/go#66512
SpectoLabs/hoverfly#1162

Modify GetTLSConfig @ go-irodsclient/irods/types/ssl_config.go
@kranthikirang kranthikirang mentioned this issue May 9, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dr2chase @chenghonour @john8329