Connection reset by peer in TLS handshake, curl ok

[matthi...@gmail.com]

I can't seem to be able to do HTTPS requests against a specific server on coyn.co as I'm constantly getting "connection reset by peer". The simplest code to reproduce is the following:

package main

import (

  "fmt"

  "crypto/tls"

  _ "crypto/sha512"

)

func main() {

  _, err := tls.Dial("tcp", "www.coyn.co:443", nil)

  fmt.Println(err)

}

Openssl connects properly and so does curl on https://www.coyn.co. I've tried playing with the different ciphers but the server seems to accept a fairly wide range of them. I'm also told this server runs on Windows Azure Cloud Services and they're handling the SSL termination so it should be properly handled.

Any ideas? I've tried pretty all the configuration options of the tls and http package at this point.

Thanks!

Matthieu

[Mikio Hara]

On Wed, Jun 11, 2014 at 9:56 AM, <matthi...@gmail.com> wrote:

> Any ideas?

let's listen to the conversation of two tls entities. seems, a) the
server wants at least tls1.2; tls.Config{MinVersion:
tls.VersionTLS12}, b) also wants sha384/rsa and/or sha384/ecdsa
hash/sig algorithms in negotiation.

--- a/src/pkg/crypto/tls/common.go Tue Jun 10 20:20:49 2014 -0400
+++ b/src/pkg/crypto/tls/common.go Wed Jun 11 14:40:10 2014 +0900
@@ -122,6 +122,7 @@
const (
hashSHA1 uint8 = 2
hashSHA256 uint8 = 4
+ hashSHA384 uint8 = 5
)

// Signature algorithms for TLS 1.2 (See RFC 5246, section A.4.1)
@@ -143,6 +144,8 @@
{hashSHA256, signatureECDSA},
{hashSHA1, signatureRSA},
{hashSHA1, signatureECDSA},
+ {hashSHA384, signatureRSA},
+ {hashSHA384, signatureECDSA},
}

[matthi...@gmail.com]

Thanks for the answer. The server actually accepts a whole array of ciphers (see below) and SSL3 to TLS 1.2. I've tested it using https://www.ssllabs.com/ssltest/index.html

It seems that what it's unhappy about is the handshake but it's just a hunch, given that it's hanging up pretty abruptly.

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_MD5

[agl]

On Tuesday, June 10, 2014 11:42:18 PM UTC-7, matthi...@gmail.com wrote:

Thanks for the answer. The server actually accepts a whole array of ciphers (see below) and SSL3 to TLS 1.2. I've tested it using https://www.ssllabs.com/ssltest/index.html

It seems that what it's unhappy about is the handshake but it's just a hunch, given that it's hanging up pretty abruptly.

Thanks. I've filed  https://code.google.com/p/go/issues/detail?id=8190&thanks=8190&ts=1402524873 about this class of broken server. I'll fix it in Go 1.4. For now, you can set the MaxVersion to tls.VersionTLS11 to work around.

Cheers

AGL

[matthi...@gmail.com]

Downgrading the MaxVersion worked, thanks for looking in this.