Using HTTPS, TLSV1 fatal handshake

gchiu · May 29, 2017, 6:45pm

I implemented https using this walkthrough, and browser clients get https.

There are no errors in the logs as above

But at least one person says that they can’t login anymore. And my scripting agent can no longer read the pages ( though it’s able to read https://meta.discourse.org and https://letsencrypt.org/ with no problems).

I’m getting a TLSV1 fatal handshake failure showing in wireshark.

Can someone decode the ssllabs report to let me know what the issue is.

I’m also seeing handshake failures there too

Handshake Simulation
Android 2.3.7   No SNI 2	Server sent fatal alert: handshake_failure
[..]
OpenSSL 0.9.8y	Server sent fatal alert: handshake_failure

As an alternative, can I just turn off the redirect from http to https?

Perhaps by commenting out https://github.com/discourse/discourse_docker/blob/master/templates/web.ssl.template.yml#L6-L14

mpalmer · May 29, 2017, 10:07pm

Are you able to provide a reproducible test case? The description of your error is vague and unhelpful. Is your scripting agent running OpenSSL 0.9.8y or Android 2.3.7?

pfaffman · May 29, 2017, 10:28pm

You followed the let’s encrypt instructions?

forum.rebol.info works fine if you access https. Http doesn’t respond, somehow.

The link you provide gives the site an A+ rating.

gchiu · May 29, 2017, 11:22pm

Yeah, I disabled the redirect I thought but the site no longer works with http

And, yes, I see the A+ rating but I also see fatal handshake errors in the report and I think that’s what is killing my scripting client.

mpalmer · May 29, 2017, 11:45pm

That’s probably HSTS getting in the way.

Why? Is your scripting client using OpenSSL 0.9.8y, or running on Android 2.3.7?

gchiu · May 30, 2017, 1:19am

It’s using open source encryption software dated 2007. So, it may well be a bit out of date

mpalmer · May 30, 2017, 1:50am

The SSL Labs report indicates that TLS v1.0 is enabled. That standard was published in 1999. If your scripting client doesn’t support at least TLS v1.0, you really need to upgrade it, and if it does, then you’re OK. It’s possible that none of the available cipher suites are ones your scripting client supports, but in that case, again, you probably want to upgrade your scripting client, because everything else is pretty nasty.

Once again, though, I’m only guessing, because you’re providing very vague answers, rather than anything concrete.

gchiu · May 30, 2017, 2:57am

Well, it’s an open source product so if it can be fixed, then we will try.

So, here’s our discussion of the issue here

gchiu · May 30, 2017, 7:01pm

Are there other discourse sites using Letsencrypt that I can check against to see if it’s a configuration issue on our side that is breaking us.

This site and letsencrypt itself can be read by our scripting agent.

Falco · May 30, 2017, 7:02pm

Try this one:

gchiu · May 30, 2017, 7:06pm

That one reads fine!

The thought is that

“our discourse server” only supports TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA or TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, while rebol only supports these

So, if I can change the cipher suite to one rebol supports, then we’ll also be suite.

gchiu · May 30, 2017, 7:29pm

I ran the ssllabs report on https://community.letsencrypt.org and it supports for TLS 1.0

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS	128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS	256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS

So, I guess I need to find out how I can configure the support for TLS_DHE_RSA_WITH_AES_128_CBC_SHA which we have

gchiu · May 30, 2017, 11:00pm

The cipher suite settings appear to be here

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;

So, I have tried to put in TLS-DHE-RSA-WITH-AES-256-CBC-SHA but I’ve run out of disk space so can’t commit the changes.

gchiu · May 31, 2017, 6:12am

I resized the disk and rebuilt but it hasn’t changed the cipher suites available.

gchiu · May 31, 2017, 6:26pm

The chaps at https://community.letsencrypt.org/ tell me they use a discourse hosted instance so don’t know what their SSL template web.ssl.template.yml says.

Would anyone here know?

riking · May 31, 2017, 7:07pm

Run ./launcher cleanup and sudo apt clean

gchiu · May 31, 2017, 9:01pm

Thanks. I’ll give that a go but in the meantime I’ve increased the disk size

gchiu · May 31, 2017, 11:05pm

Nice, that doubled the amount of free space I had.

gchiu · June 4, 2017, 12:38am

sam · June 5, 2017, 3:02pm

mkdir -p containers/templates (this is not in source control)
cp templates/web.ssl.template.yml containers/templates
fuss with the file
add containers/templates/web.ssl.template.yml to you app.yml file in the templates section
profit

Topic		Replies	Views
How should I enable letsencrypt while discourse is beside other websites Installation	20	5023	December 14, 2022
Problem with my SSL certificate Installation	17	11238	June 8, 2024
Set up HTTPS support with Let's Encrypt Self-Hosting how-to , domains	2	107390	February 25, 2024
HTTPS : issue while trying to set up SSL certification Installation	25	2136	September 30, 2019
SSL/TLS errors on very old browsers connecting to Discourse Support	18	4072	October 9, 2019

Using HTTPS, TLSV1 fatal handshake

Related topics