英文:
Why is the MinVersion flag being ignored in my Go code?
问题
我正在尝试调试与给定主机的连接失败问题。我已经记录了通过浏览器对该主机进行的成功请求的数据包捕获,以及通过下面的Go代码进行的失败请求:
package main
import (
"crypto/tls"
"log"
)
func main() {
log.SetFlags(log.Lshortfile)
conf := &tls.Config{
//InsecureSkipVerify: true,
MinVersion: tls.VersionTLS13,
MaxVersion: tls.VersionTLS13,
}
conn, err := tls.Dial("tcp", "x.x.x.x:443", conf)
if err != nil {
log.Println(err)
return
}
defer conn.Close()
n, err := conn.Write([]byte("hello\n"))
if err != nil {
log.Println(n, err)
return
}
buf := make([]byte, 100)
n, err = conn.Read(buf)
if err != nil {
log.Println(n, err)
return
}
println(string(buf[:n]))
}
在检查成功和失败请求中的客户端Hello数据包后,我注意到成功请求使用的是TLSv1.3,而失败请求使用的是TLSv1.2。
我的代码指定了我只想在请求中使用TLSv1.3,但出于某种原因,请求仍然尝试使用TLSv1.2。我尝试查阅了各种用Go编写的示例HTTP客户端,并确认我正在使用正确的语法。你对我在这里做错了什么有什么想法吗?
英文:
I'm trying to debug a failing connection to a given host. I've recorded packet captures for successful requests made to this host via the browser, as well as unsuccessful requests made via my Go code below:
package main
import (
"crypto/tls"
"log"
)
func main() {
log.SetFlags(log.Lshortfile)
conf := &tls.Config{
//InsecureSkipVerify: true,
MinVersion: tls.VersionTLS13,
MaxVersion: tls.VersionTLS13,
}
conn, err := tls.Dial("tcp", "x.x.x.x:443", conf)
if err != nil {
log.Println(err)
return
}
defer conn.Close()
n, err := conn.Write([]byte("hello\n"))
if err != nil {
log.Println(n, err)
return
}
buf := make([]byte, 100)
n, err = conn.Read(buf)
if err != nil {
log.Println(n, err)
return
}
println(string(buf[:n]))
}
After inspecting the Client Hello packet in both the successful and unsuccessful requests, I've noticed that successful requests uses TLSv1.3 versus unsuccessful requests which use TLSv1.2.
My code above specifies that I only want to use TLSv1.3 in my request, but for whatever reason the request still attempts to use TLSv1.2. I've tried consulting various example http clients written in go, and have confirmed that I'm using the correct syntax. Any ideas what I'm doing wrong here?
答案1
得分: 0
TLS 1.3握手也是以TLS 1.2的"Client Hello"开始的。
如果我们在golang代码中指定TLS 1.3,在"supported_versions"扩展中只有一个"TLS 1.3"。
如果服务器不支持TLS 1.3或由于其他原因,在握手阶段连接失败,它看起来就像是一个失败的TLS 1.2连接。
英文:
TLS 1.3 handshake also begins with a TLS 1.2 Client Hello
If we specify TLS 1.3 in golang code, in the supported_versions
extension there's only one TLS 1.3
If the server did not support TLS 1.3 or any other reason,the connection failed in handshake phase, it would looks like a failed TLS 1.2 connection.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论