TLS 1.0 and 1.1 connections failing

manaaa · January 10, 2025, 3:33pm

Hello together,

I am creating a tls encrypted http server and decreased the minimum supported tls version in the used tls.Config (despite knowing that 1.0 and 1.1 are EOL).

I did not find anything in the godocs that this should not work but when I run the code in the example below by providing a self signed certificate and key, I receive an error that the protocol is unsupported. Additionally I have also tried to set the GODEBUG variable to tls10server=1, which had also no effect.

package main

import (
	"crypto/tls"
	"log"
	"net/http"
)

func main() {

	server := http.Server{
		Addr: "0.0.0.0:8080",
		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			w.WriteHeader(http.StatusOK)
			w.Write([]byte("success"))
		}),
	}
	server.TLSConfig = &tls.Config{MinVersion: tls.VersionTLS10}
	if err := server.ListenAndServeTLS("server.crt", "server.key"); err != nil {
		log.Fatalf("server crashed :: %s", err.Error())
	}

}

I have tried the tls check to the server with the command below (same outcome for curl with argument --tls-max 1.0):

openssl s_client -connect localhost:8080 -tls1_1

aswell as:

openssl s_client -connect localhost:8080 -tls1_0

both are failing with the following error message:

CONNECTED(00000003)
409776618F7F0000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:…/ssl/statem/statem_lib.c:104:

In the applications output I can see the following entry:

2025/01/10 16:17:21 http: TLS handshake error from 172.21.29.106:33582: remote error: tls: protocol version not supported

Does somebody have a hint, what I am doing wrong or if these two TLS versions are completely unsupported by Go even though I did not find anything related in the godocs.

Thank you very much for your help and hints.

Best regards,
Timo

peakedshout · January 10, 2025, 4:26pm

remote error: tls: protocol version not supported is a common SSL/TLS connection error that indicates that the client and server cannot agree on the SSL/TLS protocol version to use. Specifically, the client proposes a version of SSL/TLS that the server either doesn’t support, or the server deems too old to be a security risk
. For example, when a client tries to connect with an older SSL 3.0 version and the server only supports TLS 1.2 or later, the server may send the client a handshake failure message with a “protocol_version” warning

Trying to limit the maximum version?

	tls.Config{MinVersion: tls.VersionTLS10,MaxVersion: tls.VersionTLS11}

manaaa · January 10, 2025, 4:51pm

Hi,

first of all thank you for your response.
You are totally right, allowing the client a TLS version >= TLS 1.2 works like expected.

I know that default TLS config of Go comes with TLS minimum version of 1.2.

In my real code I have tried multiple combinations of min and max version along with various cipher suites.

I just provided a minimal example to demonstrate my struggle and to easily reproduce it.

I decreased my minimum TLS version to 1.0 because I wanted to make sure that in case a client only supports TLS < 1.2 (which some really low percentile in the real world does) that my server can be configured by my own risk to support these clients as well.

This openssl commando which I have posted checks whether a tls connection with the given parameter can be established in this case tls 1.1 and tls 1.0, which is not working even though I have set the minVersion to “VersionTLS10”.

If I run the same openssl command with tls1_2 it again works like a charm.

I hope this clarifies what I am trying to achieve.

Best regards,
Timo

system · April 10, 2025, 4:51pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.