James, thanks for response. I am using go1.7.5 linux/amd64 I have no that client available too - it was originally seen in production logs, and now I rely only on SSLLabs handshake emulation feature that has that Chrome 49 SP3 client in list.
Here is what SSLLabs shows for that client when application behind Heroku proxy: Firefox 49 / XP SP3 <https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=49&platform=XP%20SP3&key=137> RSA 2048 (SHA256) <https://www.ssllabs.com/ssltest/analyze.html?d=centrifugo.herokuapp.com#3605008a4b977a443f4f14e3c072d362c55475e7797b46554cc3088f8cbfa11b> TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS For Go I used both examples from https://gist.github.com/FZambia/b51fa33ea4ec78caa7722299da5ae09e - one with default config, and one with all available cipher suites set in TLSConfig and PreferServerCipherSuites option. Both examples use autocert (Let's Encrypt) to get HTTPS certificate. Output of SSLLabs in both cases is: Chrome 49 / XP SP3 <https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=49&platform=XP%20SP3&key=136> Server sent fatal alert: handshake_failure And no cipher suite supported by both client and server in logs for this handshake. понедельник, 6 февраля 2017 г., 17:15:04 UTC+3 пользователь James Bardin написал: > > > What cipher quite is negotiated when you connect to the Heroku proxy? > > What version of Go are you using on the server, and are you using the > default tls.Config? > > I don't have that client directly available to test with, but does your > particular client show the expected information when you visit > https://www.ssllabs.com/ssltest/viewMyClient.html? > > > On Sunday, February 5, 2017 at 3:44:47 AM UTC-5, Alexandr Emelin wrote: >> >> When using builtin TLS for http/websocket server I noticed that >> handshakes from some old browser clients fail. The reason why I find this >> strange is that other TLS implementations work with those connections >> without any problems. I used ssllabs.com/ssltest/ >> <https://www.ssllabs.com/ssltest/> to emulate handshakes. >> >> To be more specific: clients using Chrome 49 on Windows XP SP3 can't >> establish secure connection with my Go server. When I use Heroku reverse >> proxy in front of the app - connection succesfully established using TLS >> 1.2. In case of Go I see "*tls: no cipher suite supported by both client >> and server*" message in server log. >> >> I investigated this a bit and found that actually client and server have >> many cipher suites in common but none of them set in setCipherSuite >> <https://github.com/golang/go/blob/81038d2e2b588f9df45d20a2ca0be446b0e421b2/src/crypto/tls/handshake_server.go#L770> >> >> function. Here is list of supported and preference suites: >> >> Supported: []uint16{0xc02f, 0xcca8, 0xcc13, 0xc014, 0xc013, 0x9c, 0x35, >> 0x2f, 0xa} >> Preference: []uint16{0x5600, 0xc02f, 0xc02b, 0xc030, 0xc02c, 0xc011, 0xc007, >> 0xc013, 0xc009, 0xc014, 0xc00a, 0x9c, 0x9d, 0x5, 0x2f, 0x35, 0xc012, 0xa} >> >> >> They are all rejected by this code >> <https://github.com/golang/go/blob/81038d2e2b588f9df45d20a2ca0be446b0e421b2/src/crypto/tls/handshake_server.go#L784> >> (some >> because there were no rsaSignOk set, some because there was no >> rsaDecryptOk set). >> >> trying 0xc02f for version 0x303 >> reason rejected: !rsaSignOk >> >> trying 0xc013 for version 0x303 >> reason rejected: !rsaSignOk >> >> trying 0xc014 for version 0x303 >> reason rejected: !rsaSignOk >> >> trying 0x9c for version 0x303 >> reason rejected: !rsaDecryptOk >> >> trying 0x2f for version 0x303 >> reason rejected: !rsaDecryptOk >> >> trying 0x35 for version 0x303 >> reason rejected: !rsaDecryptOk >> >> trying 0xa for version 0x303 >> reason rejected: !rsaDecryptOk >> >> >> I am not skilled in TLS area so looking for help – what's going on here, >> why Go implementation does not support connections supported by other TLS >> termination proxies? >> >> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
