Using HTTPS, TLSV1 fatal handshake


(Graham Chiu) #1

I implemented https using this walkthrough, and browser clients get https.

There are no errors in the logs as above

But at least one person says that they can’t login anymore. And my scripting agent can no longer read the pages ( though it’s able to read https://meta.discourse.org and https://letsencrypt.org/ with no problems).

I’m getting a TLSV1 fatal handshake failure showing in wireshark.

Can someone decode the ssllabs report to let me know what the issue is.

I’m also seeing handshake failures there too

Handshake Simulation
Android 2.3.7   No SNI 2	Server sent fatal alert: handshake_failure
[..]
OpenSSL 0.9.8y	Server sent fatal alert: handshake_failure

As an alternative, can I just turn off the redirect from http to https?

Perhaps by commenting out discourse_docker/web.ssl.template.yml at master · discourse/discourse_docker · GitHub


Setting up Let's Encrypt
(Matt Palmer) #2

Are you able to provide a reproducible test case? The description of your error is vague and unhelpful. Is your scripting agent running OpenSSL 0.9.8y or Android 2.3.7?


(Jay Pfaffman) #3

You followed the let’s encrypt instructions?

forum.rebol.info works fine if you access https. Http doesn’t respond, somehow.

The link you provide gives the site an A+ rating.


(Graham Chiu) #4

Yeah, I disabled the redirect I thought but the site no longer works with http :frowning:

And, yes, I see the A+ rating but I also see fatal handshake errors in the report and I think that’s what is killing my scripting client.


(Matt Palmer) #5

That’s probably HSTS getting in the way.

Why? Is your scripting client using OpenSSL 0.9.8y, or running on Android 2.3.7?


(Graham Chiu) #6

It’s using open source encryption software dated 2007. So, it may well be a bit out of date :frowning:


(Matt Palmer) #7

The SSL Labs report indicates that TLS v1.0 is enabled. That standard was published in 1999. If your scripting client doesn’t support at least TLS v1.0, you really need to upgrade it, and if it does, then you’re OK. It’s possible that none of the available cipher suites are ones your scripting client supports, but in that case, again, you probably want to upgrade your scripting client, because everything else is pretty nasty.

Once again, though, I’m only guessing, because you’re providing very vague answers, rather than anything concrete.


(Graham Chiu) #8

Well, it’s an open source product so if it can be fixed, then we will try.

So, here’s our discussion of the issue here


(Graham Chiu) #9

Are there other discourse sites using Letsencrypt that I can check against to see if it’s a configuration issue on our side that is breaking us.

This site and letsencrypt itself can be read by our scripting agent.


(Rafael dos Santos Silva) #10

Try this one:


(Graham Chiu) #11

That one reads fine!

The thought is that

“our discourse server” only supports TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA or TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, while rebol only supports these

So, if I can change the cipher suite to one rebol supports, then we’ll also be suite.


(Graham Chiu) #12

I ran the ssllabs report on https://community.letsencrypt.org and it supports for TLS 1.0

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS	128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS	128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS	256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS

So, I guess I need to find out how I can configure the support for TLS_DHE_RSA_WITH_AES_128_CBC_SHA which we have


(Graham Chiu) #13

The cipher suite settings appear to be here

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;

So, I have tried to put in TLS-DHE-RSA-WITH-AES-256-CBC-SHA but I’ve run out of disk space so can’t commit the changes. :frowning:


(Graham Chiu) #14

I resized the disk and rebuilt but it hasn’t changed the cipher suites available.


(Graham Chiu) #15

The chaps at https://community.letsencrypt.org/ tell me they use a discourse hosted instance so don’t know what their SSL template web.ssl.template.yml says.

Would anyone here know?


(Kane York) #16

Run ./launcher cleanup and sudo apt clean


(Graham Chiu) #17

Thanks. I’ll give that a go but in the meantime I’ve increased the disk size


(Graham Chiu) #18

Nice, that doubled the amount of free space I had.


(Graham Chiu) #19

(Sam Saffron) #20
  1. mkdir -p containers/templates (this is not in source control)

  2. cp templates/web.ssl.template.yml containers/templates

  3. fuss with the file

  4. add containers/templates/web.ssl.template.yml to you app.yml file in the templates section

  5. profit