SSL handshake failed (-1) for certain https hosts (DEF-2633) (SOLVED)

ericsroy · October 31, 2017, 5:13pm

Hi there,

I’m able to make requests to some https urls, but others fail with the error SSL handshake failed (-1). I’ve looked at the traffic in wireshark, and I’ve ruled out cipher suite issues. My current suspicion is that it has something to do with SNI. But it would help if I could get a bit more info from you guys:

From inspecting the http module, it looks like Defold uses LuaSocket 3.0-rc1. But if I’m not mistaken, the luasocket library on its own doesn’t support TLS, does it?
Are you also using something like LuaSec? If so, what version? I found a LuaSec issue that could be related to my problem (https://github.com/brunoos/luasec/issues/44) and the fix was only merged in on Dec 22, 2016.

Thanks,

-Eric

EDIT:
Other threads suggest that you’re not using LuaSec. So what have you used to enable https requests then?

britzl · April 4, 2017, 5:38am

We are not using LuaSocket for http requests. For the SSL handshake we use axTLS. Could you share a URL that doesn’t work?

ericsroy · April 4, 2017, 5:59am

Here’s an example where the handshake fails: https://d2an7guhswg79.cloudfront.net/

ericsroy · April 4, 2017, 6:03am

Ah, ok, it really could be SNI then. There’s an open issue here: https://github.com/dsheets/axtls/issues/2

In fact, one of the commenters even suggests a fix.

I think quite a lot of AWS infrastructure relies on SNI, so it would be pretty nice if that functionality could be added.

britzl · April 4, 2017, 9:55am

Ah, yes, that seems to be very likely. I’ve created a ticket: DEF-2633

sonountaleban · June 8, 2017, 3:27pm

Hello, any news about the ticket above? We are experiencing the same issue with some https requests.

Cheers.

britzl · June 8, 2017, 6:44pm

No, no new I’m afraid. Let me see what I can do. I’ll get back to you tomorrow with an update.

sonountaleban · June 9, 2017, 7:53am

No problem, we’re not in a hurry at the moment and we have already found a workaround.

goodgoblin · October 10, 2017, 2:39am

for what it’s worth - I’m getting the issue with this URL, trying to make an ajax call.
https://randomuser.me/api/

Just going to generate a bunch of names offline and use those, so not a blocking concern.

if it helps at all – I got the same error on a mac trying to use an old version of ruby to hit the url.

With ruby 2.0.0p648 (2015-12-16 revision 53162) [universal.x86_64-darwin15]
I got this error:

/System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:921:in connect': SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure (OpenSSL::SSL::SSLError) from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:921:inblock in connect’

When I upgraded local ruby to ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-darwin15]

It worked fine.

britzl · October 10, 2017, 4:25am

I’m actually working on a fix for this. It should be availably in the engine in one or two releases.

britzl · October 31, 2017, 5:13pm

Released in Defold 1.2.116.

decoded · September 19, 2018, 12:55pm

I think this issue may have resurfaced…
I am finding a lot of sites which can’t establish https connection - though everything looks fine.

Here are some examples:

https://www.usembassy.gov
https://nomadlist.com/
https://randomuser.me/api/ (mentioned earlier in this post):
https://safeandwell.communityos.org/
https://www.bis.doc.gov
https://fontawesome.com

Code:

	local url = "https://fontawesome.com"
	http.request(url, "GET", function(self, id, response)
	pprint(response)
	end)

Results in:

I have access to a server with a handful of other sites which also result the same. Every site on the server. Perhaps Defold is not playing nice with some header security policies?

britzl · September 19, 2018, 6:38pm

Hmm, seems like a regression in the SSL handshake code. Perhaps the SNI thing again? @Mathias_Westerdahl, any idea what could have gone wrong?

aladdinTM · January 17, 2019, 5:35am

Hello, any info about this issue?, I also face this issue on my project when trying to get data from my web.

britzl · January 17, 2019, 5:09am

Sorry, we lost track of this one. I will add it to our next sprint starting on Monday.

polycursegames · January 17, 2019, 7:44pm

Also having this issue. Hope we can get some info/fix soon.

inactive-vilse · January 31, 2019, 10:32am

Looking into this, for me usembassy.gov actually do work, but I’m investigating it.

inactive-vilse · January 31, 2019, 2:13pm

So, this is a cipher problem and the TLS/SSL library we use does not support Diffie Hellman ciphers which those sites requires (either elliptic curve or “plain”).

Unfortunately adding that is not an easy task so we would most likely need to use a different library which is not a small task and needs to be discussed internally.

Our implementation supports the following ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256

And nothing else I’m afraid.

decoded · February 1, 2019, 3:57pm

Thank you all very much for looking into this, and providing information. I’ve been watching this issue for a while, hoping for a solution. This information I think will solve my use case scenario.

Running an Apache web-server defaults to the following ciphers.

I’m fairly certain I can just add the ciphers mentioned for Defold support, and be good to go. I’ll test when I can and report back.

decoded · March 18, 2019, 5:19am

I finally got around to testing this. Defold SSL connection is successful to my servers if I add
AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA to the default cipher list.

One thing to note, these ciphers were recently marked “weak” by SSL Labs due to the Robot Attack. It didn’t effect my rating, but maybe worth noting.