SSL handshake failed (-1) for certain https hosts (DEF-2633) (SOLVED)

#6

Hello, any news about the ticket above? We are experiencing the same issue with some https requests.

Cheers.

0 Likes

#7

No, no new I’m afraid. Let me see what I can do. I’ll get back to you tomorrow with an update.

2 Likes

#8

No problem, we’re not in a hurry at the moment and we have already found a workaround. :slight_smile:

2 Likes

#9

for what it’s worth - I’m getting the issue with this URL, trying to make an ajax call.
https://randomuser.me/api/

Just going to generate a bunch of names offline and use those, so not a blocking concern.

if it helps at all – I got the same error on a mac trying to use an old version of ruby to hit the url.

With ruby 2.0.0p648 (2015-12-16 revision 53162) [universal.x86_64-darwin15]
I got this error:

/System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:921:in connect': SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure (OpenSSL::SSL::SSLError) from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:921:inblock in connect’

When I upgraded local ruby to ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-darwin15]

It worked fine.

1 Like

#10

I’m actually working on a fix for this. It should be availably in the engine in one or two releases.

4 Likes

#11

Released in Defold 1.2.116.

3 Likes

#12

I think this issue may have resurfaced…
I am finding a lot of sites which can’t establish https connection - though everything looks fine.

Here are some examples:

https://www.usembassy.gov
https://nomadlist.com/
https://randomuser.me/api/ (mentioned earlier in this post):
https://safeandwell.communityos.org/
https://www.bis.doc.gov
https://fontawesome.com

Code:

	local url = "https://fontawesome.com"
	http.request(url, "GET", function(self, id, response)
	pprint(response)
	end)

Results in:

I have access to a server with a handful of other sites which also result the same. Every site on the server. Perhaps Defold is not playing nice with some header security policies?

0 Likes

#13

Hmm, seems like a regression in the SSL handshake code. Perhaps the SNI thing again? @Mathias_Westerdahl, any idea what could have gone wrong?

0 Likes

#14

Hello, any info about this issue?, I also face this issue on my project when trying to get data from my web.

1 Like

#15

Sorry, we lost track of this one. I will add it to our next sprint starting on Monday.

3 Likes

#16

Also having this issue. Hope we can get some info/fix soon.

0 Likes

#17

Looking into this, for me usembassy.gov actually do work, but I’m investigating it.

1 Like

#18

So, this is a cipher problem and the TLS/SSL library we use does not support Diffie Hellman ciphers which those sites requires (either elliptic curve or “plain”).

Unfortunately adding that is not an easy task so we would most likely need to use a different library which is not a small task and needs to be discussed internally.

Our implementation supports the following ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256

And nothing else I’m afraid.

6 Likes

#19

Thank you all very much for looking into this, and providing information. I’ve been watching this issue for a while, hoping for a solution. This information I think will solve my use case scenario.

Running an Apache web-server defaults to the following ciphers.

I’m fairly certain I can just add the ciphers mentioned for Defold support, and be good to go. I’ll test when I can and report back.

3 Likes

#20

I finally got around to testing this. Defold SSL connection is successful to my servers if I add
AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA to the default cipher list.

One thing to note, these ciphers were recently marked “weak” by SSL Labs due to the Robot Attack. It didn’t effect my rating, but maybe worth noting.

0 Likes

#21

Thank you for providing an update and confirming that it was indeed the ciphers.

Yes, this is something we need to address at some point. Thank you for pointing this out.

1 Like

#22

The documentation was updated with supported cipher suites a couple of release ago here: https://www.defold.com/ref/http/#http.request:url-method-callback--headers---post_data---options-

Changing our SLL library to allow more modern ciphers is in the backlog, as @britzl stated.

2 Likes

#23

Does it help with:


?

0 Likes

#24

We are making progress on this issue and we have at east partially pinpointed the problem. We will continue to work on it this sprint, and hopefully have a solution in place soon.

2 Likes

#25

We replaced the old SSL library with the new one mbedTLS.
It should work fine starting 1.2.162

3 Likes