search

chromium / hstspreload.org

:lock: Chromium's HSTS preload list submission website.
https://hstspreload.org
BSD 3-Clause "New" or "Revised" License
782 stars 92 forks source link

Client.Timeout exceeded while awaiting headers #155

Closed danDanV1 closed 6 years ago

danDanV1 commented 6 years ago

What TLS versions and ciphers does the HSTSpreload client support??

Our servers have an A+ SSL rating with the Qualys SSL labs test, but hstspreload.org can't connect to it.

Error from hstspreoload.org

Error: Cannot connect using TLS
We cannot connect to https://_______.com using TLS ("Get https://_______.com: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)").

We support the following protocols:

TLS 1.3 | No
TLS 1.2 | Yes
TLS 1.1 | Yes
TLS 1.0 | Yes

Ciphers:

# TLS 1.2 (suites in server-preferred order)
--
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp384r1 (eq. 7680 bits RSA)   FS | 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 4096 bits   FS | 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp384r1 (eq. 7680 bits RSA)   FS | 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp384r1 (eq. 7680 bits RSA)   FS | 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp384r1 (eq. 7680 bits RSA)   FS | 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp384r1 (eq. 7680 bits RSA)   FS | 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp384r1 (eq. 7680 bits RSA)   FS | 256

# TLS 1.1 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   256
# TLS 1.0 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   256
danDanV1 commented 6 years ago

What IPs does hstspreload.org send the connection request from?

lgarron commented 6 years ago

hstspreload.org currently runs on App Engine, but you should probably not be looking for specific IPs.

You didn't mention your domain, so I can't debug it. However, the scanner uses the Go standard library. Are you able to run the hstspreload tool locally?

go get github.com/chromium/hstspreload/...
hstspreload preloadabledomain _______.com
nharper commented 6 years ago

This issue was determined to be caused by the server in question blocking clients if an HTTP request is made without the Accept header.