When using builtin TLS for http/websocket server I noticed that handshakes from some old browser clients fail. The reason why I find this strange is that other TLS implementations work with those connections without any problems. I used ssllabs.com/ssltest/ <https://www.ssllabs.com/ssltest/> to emulate handshakes.
To be more specific: clients using Chrome 49 on Windows XP SP3 can't establish secure connection with my Go server. When I use Heroku reverse proxy in front of the app - connection succesfully established using TLS 1.2. In case of Go I see "*tls: no cipher suite supported by both client and server*" message in server log. I investigated this a bit and found that actually client and server have many cipher suites in common but none of them set in setCipherSuite <https://github.com/golang/go/blob/81038d2e2b588f9df45d20a2ca0be446b0e421b2/src/crypto/tls/handshake_server.go#L770> function. Here is list of supported and preference suites: Supported: []uint16{0xc02f, 0xcca8, 0xcc13, 0xc014, 0xc013, 0x9c, 0x35, 0x2f, 0xa} Preference: []uint16{0x5600, 0xc02f, 0xc02b, 0xc030, 0xc02c, 0xc011, 0xc007, 0xc013, 0xc009, 0xc014, 0xc00a, 0x9c, 0x9d, 0x5, 0x2f, 0x35, 0xc012, 0xa} They are all rejected by this code <https://github.com/golang/go/blob/81038d2e2b588f9df45d20a2ca0be446b0e421b2/src/crypto/tls/handshake_server.go#L784> (some because there were no rsaSignOk set, some because there was no rsaDecryptOk set). trying 0xc02f for version 0x303 reason rejected: !rsaSignOk trying 0xc013 for version 0x303 reason rejected: !rsaSignOk trying 0xc014 for version 0x303 reason rejected: !rsaSignOk trying 0x9c for version 0x303 reason rejected: !rsaDecryptOk trying 0x2f for version 0x303 reason rejected: !rsaDecryptOk trying 0x35 for version 0x303 reason rejected: !rsaDecryptOk trying 0xa for version 0x303 reason rejected: !rsaDecryptOk I am not skilled in TLS area so looking for help – what's going on here, why Go implementation does not support connections supported by other TLS termination proxies? -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
