tls.VersionSSL30 - local error: protocol version not supported

[Paul van Brouwershaven]

When trying to connect with a SSLv3 only setting (MinVersion, MaxVersion = tls.VersionSSL30) I'm getting the error: "local error: protocol version not supported".

The google.com website is available over SSLv3 and an openssl s_client or curl session is connecting successfully.

curl -v https://www.google.com -3

* About to connect() to www.google.com port 443 (#0)

*   Trying 74.125.136.104... connected

* successfully set certificate verify locations:

*   CAfile: none

  CApath: /etc/ssl/certs

* SSLv3, TLS handshake, Client hello (1):

* SSLv3, TLS handshake, Server hello (2):

* SSLv3, TLS handshake, CERT (11):

* SSLv3, TLS handshake, Server key exchange (12):

* SSLv3, TLS handshake, Server finished (14):

* SSLv3, TLS handshake, Client key exchange (16):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSL connection using ECDHE-RSA-RC4-SHA

* Server certificate:

*        subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com

*        start date: 2013-12-11 12:02:58 GMT

*        expire date: 2014-04-10 00:00:00 GMT

*        subjectAltName: www.google.com matched

*        issuer: C=US; O=Google Inc; CN=Google Internet Authority G2

*        SSL certificate verify ok.

You can try the following test program that shows the error for SSLv3 but where TLSv1, 1.1 and 1.2 are working fine:

http://play.golang.org/p/z4xg6k45gM

[James Bardin]

What exactly are you asking? The error is very clear with "local error: protocol version not supported", meaning the client does not support SSLv3.

[Paul van Brouwershaven]

I see this same error for TLSv1.1 and 1.2 when the remote server doesn't support this version.

My tests with openssl and curl show that google.com is supporting SSLv3. This would indicate that "local error" would indicate that GO doesn't support SSLv3, but why can we instruct GO go force the usage of SSLv3 then and why do I get the same error for 1.1 and 1.2 sometimes if it would be a local error?

[James Bardin]

On Tuesday, January 7, 2014 9:49:19 AM UTC-5, Paul van Brouwershaven wrote:

I see this same error for TLSv1.1 and 1.2 when the remote server doesn't support this version.

Are you saying that you see this error when the remote server *does* support TLSv1.1 or 1.2? If so, do you know any details about the server? I've run into an unknown http frontend that is incorrectly negotiating down to SSLv3 when TLSv1.1 or TLSv1.2 is offered by the client, even thought it supports TLSv1.0. Forcing TLSv1.0 on the client allows us to connect.

 

My tests with openssl and curl show that google.com is supporting SSLv3. This would indicate that "local error" would indicate that GO doesn't support SSLv3, but why can we instruct GO go force the usage of SSLv3 then and why do I get the same error for 1.1 and 1.2 sometimes if it would be a local error?

You can set the the TLS versions to any uint16 values you want, but it's not necessarily valid, and just because it compiles, doesn't mean it's not a runtime error. You're can't force the usage of SSLv3, because the client doesn't support it.

 

[Paul van Brouwershaven]

The server www.google.com is accepting SSLv3, TLSv1, TLSv1.1 and TLSv1.2 as you can see in the openssl s_client tests below.

The crypto/tls manual has listed the constants for these same ssl/tls versions:

const (
        VersionSSL30 = 0x0300
        VersionTLS10 = 0x0301
        VersionTLS11 = 0x0302
        VersionTLS12 = 0x0303
)

http://golang.org/pkg/crypto/tls/#pkg-constants

While the summary only lists that it partially implements TLS 1.2, as specified in RFC 5246 but TLS 1.0 and 1.1 do currently also work fine for me.

s_client -ssl3 -host www.google.com -port 443

SSL-Session:

    Protocol  : SSLv3

openssl s_client -tls1 -host www.google.com -port 443

SSL-Session:

    Protocol  : TLSv1

openssl s_client -tls1_1 -host www.google.com -port 443

SSL-Session:

    Protocol  : TLSv1.1

openssl s_client -tls1_2 -host www.google.com -port 443

SSL-Session:

    Protocol  : TLSv1.2

[James Bardin]

Yes, but again, what are you asking? 

This does not change the fact that the client does not support SSLv3 (granted, this should be better documented in the tls package).

[Paul van Brouwershaven]

It looks like go (the client) is supporting SSLv3, one because of the constand refering to v3 but secondly because the source does also list functions specific to v3 (removePaddingSSL30).

Question 1: Is go supporting SSLv3?

Question 2: If go is not supporting SSLv3, why do I get the same (local) error message when a remote server is not support TLSv1.2?

--
You received this message because you are subscribed to a topic in the Google Groups "golang-nuts" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/golang-nuts/FfsoDoMCBeM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--

Regards,

Paul van Brouwershaven

http://linkedin.com/in/pvanbrouwershaven

http://facebook.com/p.vanbrouwershaven

http://twitter.com/vanbroup

[James Bardin]

On Tue, Jan 7, 2014 at 10:43 AM, Paul van Brouwershaven <pa...@vanbrouwershaven.com> wrote:

It looks like go (the client) is supporting SSLv3, one because of the constand refering to v3 but secondly because the source does also list functions specific to v3 (removePaddingSSL30).

Question 1: Is go supporting SSLv3?

Not on the client. I believe it was a concession for compatibility on the server side.

 

Question 2: If go is not supporting SSLv3, why do I get the same (local) error message when a remote server is not support TLSv1.2?

We need more information. When do you get this error if the server does not support TLSv1.2? My guess is what I stated previously, that the server is only offering SSLv3 for some reason.

[Paul van Brouwershaven]

On Tuesday, 7 January 2014 16:48:10 UTC+1, James Bardin wrote:

Question 2: If go is not supporting SSLv3, why do I get the same (local) error message when a remote server is not support TLSv1.2?

We need more information. When do you get this error if the server does not support TLSv1.2? My guess is what I stated previously, that the server is only offering SSLv3 for some reason.

If you run this test: http://play.golang.org/p/OZG3o9JYVw

You get this result:

2014/01/07 15:56:00 [TLS Handshake] 768 local error: protocol version not supported ( www.google.com ) = SSLv3

2014/01/07 15:56:01 map[ssl30:false tls10:true tls11:true tls12:true]

2014/01/07 15:56:02 [TLS Handshake] 768 local error: protocol version not supported ( www.microsoft.com ) = SSLv3

2014/01/07 15:56:05 [TLS Handshake] 770 local error: protocol version not supported ( www.microsoft.com ) = TLSv1.1

2014/01/07 15:56:06 [TLS Handshake] 771 local error: protocol version not supported ( www.microsoft.com ) = TLSv1.2

2014/01/07 15:56:06 map[ssl30:false tls10:true tls11:false tls12:false]

 

[James Bardin]

OK, I see the confusion.

It's the same error for when the client doesn't support the tls version at all, and when the clients version isn't supported by the remote server.

I supposed it wouldn't hurt to open an issue for this.

[agl]

Those results are as expected.

Go supports SSLv3 as a server because clients will fall back to SSLv3 in the event of network issues so one has to support it really to avoid some odd errors at the client.

Go doesn't support SSLv3 as a client.

TLS doesn't support giving the server a range of supported versions, just the maximum supported version so, if the server answers with a disabled version then you'll get the error that you see.

Cheers

AGL