Go https client issue - remote error: tls: handshake failure

Question

I am hitting this error 'remote error: tls: handshake failure':

~/go/bin/aci-tls 10.0.0.201 user pass
2016/12/20 18:12:04 post error: Post https://10.0.0.201/api/aaaLogin.json: remote error: tls: handshake failure

Code is basic HTTPS client: https://play.golang.org/p/cqPT0oR__q

OpenSSL is happy with this https server:

$ openssl s_client -connect 10.0.0.201:443

(snip)
SSL handshake has read 1383 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
(snip)

Tested on:

$ go version
go version go1.7.4 linux/386

C:\>go version
go version go1.7.4 windows/amd64

gotlsscan says:

lab@ubu:~$ go version
go version go1.8beta2 linux/386
lab@ubu:~$ ~/go/bin/gotlsscan -host 10.0.0.201 | grep -v NOT
Testing SSL30 (DISABLED)
Testing TLS1.0
Testing TLS1.1
Testing TLS1.2
lab@ubu:~$
lab@ubu:~$ ~/go/bin/gotlsscan -insecure -host 10.0.0.201 | grep -v NOT
Testing SSL30 (DISABLED)
Testing TLS1.0
Testing TLS1.1
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            [OK]
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            [OK]
Testing TLS1.2

How can I further troubleshoot this issue?

Answer 1

The server for some reason doesn't accept the TLS1.2 handshake, nor does it properly fall back to TLS1.1. You can force the client to use only TLS1.1 and the compatible cipher suites with

cfg := &tls.Config{
    CipherSuites: []uint16{
        tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
        tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    },
    PreferServerCipherSuites: true,
    InsecureSkipVerify:       true,
    MinVersion:               tls.VersionTLS11,
    MaxVersion:               tls.VersionTLS11,
}