去https客户端问题 - 远程错误:tls:握手失败

时间:2016-12-20 20:22:37

标签: ssl go https tls1.2

我遇到此错误'远程错误:tls:握手失败':

~/go/bin/aci-tls 10.0.0.201 user pass
2016/12/20 18:12:04 post error: Post https://10.0.0.201/api/aaaLogin.json: remote error: tls: handshake failure

代码是基本的HTTPS客户端:https://play.golang.org/p/cqPT0oR__q

OpenSSL对此https服务器感到满意:

$ openssl s_client -connect 10.0.0.201:443

(snip)
SSL handshake has read 1383 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
(snip)

经过测试:

$ go version
go version go1.7.4 linux/386

C:\>go version
go version go1.7.4 windows/amd64

gotlsscan说:

lab@ubu:~$ go version
go version go1.8beta2 linux/386
lab@ubu:~$ ~/go/bin/gotlsscan -host 10.0.0.201 | grep -v NOT
Testing SSL30 (DISABLED)
Testing TLS1.0
Testing TLS1.1
Testing TLS1.2
lab@ubu:~$
lab@ubu:~$ ~/go/bin/gotlsscan -insecure -host 10.0.0.201 | grep -v NOT
Testing SSL30 (DISABLED)
Testing TLS1.0
Testing TLS1.1
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            [OK]
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            [OK]
Testing TLS1.2

如何进一步解决此问题?

1 个答案:

答案 0 :(得分:3)

服务器由于某种原因不接受TLS1.2握手,也不能正确回退到TLS1.1。您可以强制客户端仅使用TLS1.1和兼容的密码套件

cfg := &tls.Config{
    CipherSuites: []uint16{
        tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
        tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    },
    PreferServerCipherSuites: true,
    InsecureSkipVerify:       true,
    MinVersion:               tls.VersionTLS11,
    MaxVersion:               tls.VersionTLS11,
}
相关问题
最新问题