SSL handshake failed (-1) for certain https hosts (DEF-2633) (SOLVED)

**sonountaleban** · June 8, 2017, 3:27pm

Hello, any news about the ticket above? We are experiencing the same issue with some https requests.

Cheers.

**britzl** · June 8, 2017, 6:44pm

No, no new I’m afraid. Let me see what I can do. I’ll get back to you tomorrow with an update.

**sonountaleban** · June 9, 2017, 7:53am

No problem, we’re not in a hurry at the moment and we have already found a workaround.

**goodgoblin** · October 10, 2017, 2:39am

for what it’s worth - I’m getting the issue with this URL, trying to make an ajax call.
https://randomuser.me/api/

Just going to generate a bunch of names offline and use those, so not a blocking concern.

if it helps at all – I got the same error on a mac trying to use an old version of ruby to hit the url.

With ruby 2.0.0p648 (2015-12-16 revision 53162) [universal.x86_64-darwin15]
I got this error:

/System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:921:in connect': SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure (OpenSSL::SSL::SSLError) from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:921:inblock in connect’

When I upgraded local ruby to ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-darwin15]

It worked fine.

**britzl** · October 10, 2017, 4:25am

I’m actually working on a fix for this. It should be availably in the engine in one or two releases.

**britzl** · October 31, 2017, 5:13pm

Released in Defold 1.2.116.

**decoded** · September 19, 2018, 12:55pm

I think this issue may have resurfaced…
I am finding a lot of sites which can’t establish https connection - though everything looks fine.

Here are some examples:

https://www.usembassy.gov
https://nomadlist.com/
https://randomuser.me/api/ (mentioned earlier in this post):
https://safeandwell.communityos.org/
https://www.bis.doc.gov
https://fontawesome.com

Code:

	local url = "https://fontawesome.com"
	http.request(url, "GET", function(self, id, response)
	pprint(response)
	end)

Results in:

I have access to a server with a handful of other sites which also result the same. Every site on the server. Perhaps Defold is not playing nice with some header security policies?

**britzl** · September 19, 2018, 6:38pm

Hmm, seems like a regression in the SSL handshake code. Perhaps the SNI thing again? @Mathias_Westerdahl, any idea what could have gone wrong?

**aladdinTM** · January 17, 2019, 5:35am

Hello, any info about this issue?, I also face this issue on my project when trying to get data from my web.

**britzl** · January 17, 2019, 5:09am

Sorry, we lost track of this one. I will add it to our next sprint starting on Monday.

**polycursegames** · January 17, 2019, 7:44pm

Also having this issue. Hope we can get some info/fix soon.

**inactive-vilse** · January 31, 2019, 10:32am

Looking into this, for me usembassy.gov actually do work, but I’m investigating it.

**inactive-vilse** · January 31, 2019, 2:13pm

So, this is a cipher problem and the TLS/SSL library we use does not support Diffie Hellman ciphers which those sites requires (either elliptic curve or “plain”).

Unfortunately adding that is not an easy task so we would most likely need to use a different library which is not a small task and needs to be discussed internally.

Our implementation supports the following ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256

And nothing else I’m afraid.

**decoded** · February 1, 2019, 3:57pm

Thank you all very much for looking into this, and providing information. I’ve been watching this issue for a while, hoping for a solution. This information I think will solve my use case scenario.

Running an Apache web-server defaults to the following ciphers.

I’m fairly certain I can just add the ciphers mentioned for Defold support, and be good to go. I’ll test when I can and report back.

**decoded** · March 18, 2019, 5:19am

I finally got around to testing this. Defold SSL connection is successful to my servers if I add
AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA to the default cipher list.

One thing to note, these ciphers were recently marked “weak” by SSL Labs due to the Robot Attack. It didn’t effect my rating, but maybe worth noting.

**britzl** · March 18, 2019, 6:10am

Thank you for providing an update and confirming that it was indeed the ciphers.

Yes, this is something we need to address at some point. Thank you for pointing this out.

**inactive-vilse** · March 18, 2019, 8:05am

The documentation was updated with supported cipher suites a couple of release ago here: https://www.defold.com/ref/http/#http.request:url-method-callback--headers---post_data---options-

Changing our SLL library to allow more modern ciphers is in the backlog, as @britzl stated.

**Dragosha** · March 18, 2019, 9:36am

Does it help with:

?

**britzl** · March 18, 2019, 11:57am

We are making progress on this issue and we have at east partially pinpointed the problem. We will continue to work on it this sprint, and hopefully have a solution in place soon.

**AGulev** · September 16, 2019, 12:41pm

We replaced the old SSL library with the new one mbedTLS.
It should work fine starting 1.2.162