go: crypto/tls: TLS handshake timeout

What version of Go are you using (go version)?

$ go version
go version go1.15.7 linux/amd64

Does this issue reproduce with the latest release?

I have tested this with Go 1.13+.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/moein/.cache/go-build"
GOENV="/home/moein/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/moein/go/pkg/mod"
GONOPROXY="="
GONOSUMDB="="
GOOS="linux"
GOPATH="/home/moein/go"
GOPRIVATE="="
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib64/go/1.15"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib64/go/1.15/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build173751188=/tmp/go-build -gno-record-gcc-switches"
GOROOT/bin/go version: go version go1.15.7 linux/amd64
GOROOT/bin/go tool compile -V: compile version go1.15.7
uname -sr: Linux 5.10.12-1-default
LSB Version:	n/a
Distributor ID:	openSUSE
Description:	openSUSE Tumbleweed
Release:	20210210
Codename:	n/a
/lib64/libc.so.6: GNU C Library (GNU libc) release release version 2.32 (git 0a8262a1b2).

What did you do?

I have a http.Client like this:

client := &http.Client{
	Timeout: 20 * time.Second,
	Transport: &http.Transport{
		TLSHandshakeTimeout: 10 * time.Second,
	},
}

And I send a HTTP request with: res, err := client.Get(url)

What did you expect to see?

It should return a 2xx response without any error.

What did you see instead?

I get net/http: TLS handshake timeout.

Same URL works perfectly with curl. I have also tried with InsecureSkipVerify: true but it didn’t change anything.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 18 (7 by maintainers)

Most upvoted comments

@moeen try this client:

client := &http.Client{
	Timeout: 20 * time.Second,
	Transport: &http.Transport{
		TLSHandshakeTimeout: 10 * time.Second,
                TLSClientConfig: &tls.Config{
		MinVersion: tls.VersionTLS12,
		CipherSuites: []uint16{
		          tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
		          tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
		          tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, // Go 1.8 only
		          tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,   // Go 1.8 only
		          tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
		          tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                 },
	},
}

It might been that the signature on the wire that Go emits does not look like a browser or curl, hence triggering whatever firewalls your government puts in place.

I am going to make this issue as NeedsInvestigation