Skip to content

Instantly share code, notes, and snippets.

@wjkoh

wjkoh/golang-tls-handshake-failure.md

Last active May 30, 2024 05:02
Show Gist options
  • Save wjkoh/57b4f8191caa6f5ecadb846f91716626 to your computer and use it in GitHub Desktop.
Save wjkoh/57b4f8191caa6f5ecadb846f91716626 to your computer and use it in GitHub Desktop.
Download ZIP
Go: remote error: tls: handshake failure
Raw
golang-tls-handshake-failure.md

Have you encountered the following error while using Go's net/http package?

Get "https://host-with-tls-problem.com": remote error: tls: handshake failure

Here is a solution that works for me.

  1. Install goTLSScan:
$ go install github.com/jbardin/gotlsscan@latest
  1. Run goTLSScan:
$ gotlsscan -host "host-with-tls-problem.com"
...
Testing TLS1.2
	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA          [NOT SUPPORTED] EOF
	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       [NOT SUPPORTED] EOF
	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256       [NOT SUPPORTED] EOF
	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA          [NOT SUPPORTED] EOF
	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384       [NOT SUPPORTED] EOF
	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305        [NOT SUPPORTED] EOF
	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 [NOT SUPPORTED] EOF
	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (DISABLED)   [NOT SUPPORTED] EOF
	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA           [NOT SUPPORTED]
	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            [NOT SUPPORTED]
	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         [NOT SUPPORTED]
	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256         [NOT SUPPORTED]
	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            [NOT SUPPORTED]
	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384         [NOT SUPPORTED]
	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305          [NOT SUPPORTED]
	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   [NOT SUPPORTED]
	TLS_ECDHE_RSA_WITH_RC4_128_SHA (DISABLED)     [NOT SUPPORTED]
	TLS_RSA_WITH_3DES_EDE_CBC_SHA                 [OK]
	TLS_RSA_WITH_AES_128_CBC_SHA                  [OK]
	TLS_RSA_WITH_AES_128_CBC_SHA256               [OK]
	TLS_RSA_WITH_AES_128_GCM_SHA256               [OK]
	TLS_RSA_WITH_AES_256_CBC_SHA                  [OK]
	TLS_RSA_WITH_AES_256_GCM_SHA384               [OK]
	TLS_RSA_WITH_RC4_128_SHA (DISABLED)           [OK]
...
  1. Use the available TLS version and cipher suite:
func main() {
	url := "https://host-with-tls-problem.com"
	client := &http.Client{
		Transport: &http.Transport{
			TLSClientConfig: &tls.Config{
				CipherSuites: []uint16{
					tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
					tls.TLS_RSA_WITH_AES_128_CBC_SHA,
					tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
					tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
					tls.TLS_RSA_WITH_AES_256_CBC_SHA,
					tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
				},
				MinVersion: tls.VersionTLS12,
				MaxVersion: tls.VersionTLS12,
			},
		},
	}
	resp, err := client.Get(url)
	if err != nil {
		log.Fatal(err)
	}
}

That's it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment