Client.Timeout exceeded while awaiting headers

Question

Client.Timeout exceeded while awaiting headers

danDanV1 opened this issue 6 years ago · 3 comments

What TLS versions and ciphers does the HSTSpreload client support??

Our servers have an A+ SSL rating with the Qualys SSL labs test, but hstspreload.org can't connect to it.

Error from hstspreoload.org

Error: Cannot connect using TLS
We cannot connect to https://_______.com using TLS ("Get https://_______.com: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)").

We support the following protocols:

TLS 1.3 | No
TLS 1.2 | Yes
TLS 1.1 | Yes
TLS 1.0 | Yes

Ciphers:

# TLS 1.2 (suites in server-preferred order)
--
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp384r1 (eq. 7680 bits RSA)   FS | 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 4096 bits   FS | 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp384r1 (eq. 7680 bits RSA)   FS | 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp384r1 (eq. 7680 bits RSA)   FS | 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp384r1 (eq. 7680 bits RSA)   FS | 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp384r1 (eq. 7680 bits RSA)   FS | 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp384r1 (eq. 7680 bits RSA)   FS | 256

# TLS 1.1 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp384r1 (eq. 7680 bits RSA)   FS	128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp384r1 (eq. 7680 bits RSA)   FS	256
# TLS 1.0 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp384r1 (eq. 7680 bits RSA)   FS	128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp384r1 (eq. 7680 bits RSA)   FS	256

Answer 1 · 2018-06-30T05:56:47.000Z

What IPs does hstspreload.org send the connection request from?

Answer 2 · 2018-06-30T17:51:01.000Z

hstspreload.org currently runs on App Engine, but you should probably not be looking for specific IPs.

You didn't mention your domain, so I can't debug it. However, the scanner uses the Go standard library. Are you able to run the hstspreload tool locally?

go get github.com/chromium/hstspreload/...
hstspreload preloadabledomain _______.com

Answer 3 · 2018-07-03T00:04:01.000Z

This issue was determined to be caused by the server in question blocking clients if an HTTP request is made without the Accept header.