HTTPS request with HTTPoison

bender · December 11, 2021, 12:54pm

Hello.

I spent a day trying manage this wall, but didn’t successed. When I send a request it ends up with an error:

** (HTTPoison.Error) {:tls_alert, {:handshake_failure, 'TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure\n'}}
    (httpoison 1.8.0) lib/httpoison.ex:156: HTTPoison.request!/5

The same problem is described here HTTPS handshake error: Fatal - Handshake Failure - #11 by rjk but solution didn’t help.

Here is my code:

    rsa_kx = :ssl.cipher_suites(:all, :"tlsv1.2") ++ [%{key_exchange: :rsa, cipher: :aes_256_cbc, mac: :sha256}]

    HTTPoison.get!("https://etpgpb.ru/procedures.json", [],
      ssl: [
        ciphers: rsa_kx,
        verify: :verify_peer,
        cacertfile: :certifi.cacertfile(),
        depth: 3,
        customize_hostname_check: [
          match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
        ]
      ],
      log_level: :debug
    )

Also some details from nmap and curl.

nmap:

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Forward Secrecy not supported by any cipher
|   TLSv1.1: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Forward Secrecy not supported by any cipher
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Forward Secrecy not supported by any cipher
|_  least strength: A

curl:

* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES128-SHA

bender · December 11, 2021, 1:10pm

I would be ok with insecure connection, something like HTTPoison.get!("https://etpgpb.ru/procedures.json", [], hackney: [:insecure]) but it doesn’t work either.

rjk · December 11, 2021, 3:32pm

could you post the openssl/libressl and OTP versions? I just tried your call on my install and your first HTTPoison calls works fine here.

I got:

$ elixir --version
Erlang/OTP 24 [erts-12.0.4] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit]

Elixir 1.12.3 (compiled with Erlang/OTP 24)

and

$ openssl version
OpenSSL 1.1.1k  25 Mar 2021

Could be as simple as upgrading one or both of them. (or not , tls issues are nasty)

It also works if I use only this for ciphers: ciphers: :ssl.cipher_suites(:all, :"tlsv1.2")

bender · December 11, 2021, 5:56pm

Hm, interesting I will try to find solution in this way. Thank you.

openssl version

LibreSSL 2.8.3


elixir --version

Erlang/OTP 24 [erts-12.1.2] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] [jit]

Elixir 1.12.3 (compiled with Erlang/OTP 24)

bender · December 11, 2021, 6:52pm

Fun fact docker image elixir:latest also doesn’t work with my request. Might be because the version of openssl is OpenSSL 1.1.1d 10 Sep 2019.

voltone · December 12, 2021, 7:10am

The server only supports TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA, which in :ssl terms would be:

iex(1)> supported = Enum.map(['TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA'], &:ssl.str_to_suite/1)
[                                                           
  %{cipher: :aes_128_cbc, key_exchange: :rsa, mac: :sha, prf: :default_prf},
  %{cipher: :aes_256_cbc, key_exchange: :rsa, mac: :sha, prf: :default_prf}
]

Not only are those cipher suites not enabled by default, they are not supported by :ssl unless you explicitly downgrade the TLS version to 1.1. If a newer version of TLS is active, the initial handshake message to the server will optimistically try to negotiate the newest version, and it won’t offer those old (deprecated) cipher suites.

So after running the above, this will work (using :hackney_ssl.check_hostname_opts/1 to ensure all the other options are set correctly):

iex(2)> check_hostname_opts = :hackney_ssl.check_hostname_opts('etpgpb.ru')
# ...
iex(3)> ssl_opts = Keyword.merge(check_hostname_opts, ciphers: supported, versions: [:"tlsv1.1"])
# ...
iex(3)> HTTPoison.get!("https://etpgpb.ru/procedures.json", [], ssl: ssl_opts)
%HTTPoison.Response{
  #...
  status_code: 200
}