Client.Timeout exceeded while awaiting headers
danDanV1 opened this issue · 3 comments
danDanV1 commented
What TLS versions and ciphers does the HSTSpreload client support??
Our servers have an A+ SSL rating with the Qualys SSL labs test, but hstspreload.org can't connect to it.
Error from hstspreoload.org
Error: Cannot connect using TLS
We cannot connect to https://_______.com using TLS ("Get https://_______.com: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)").
We support the following protocols:
TLS 1.3 | No
TLS 1.2 | Yes
TLS 1.1 | Yes
TLS 1.0 | Yes
Ciphers:
# TLS 1.2 (suites in server-preferred order)
--
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp384r1 (eq. 7680 bits RSA) FS | 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits FS | 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS | 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp384r1 (eq. 7680 bits RSA) FS | 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS | 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp384r1 (eq. 7680 bits RSA) FS | 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS | 256
# TLS 1.1 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp384r1 (eq. 7680 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS 256
# TLS 1.0 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp384r1 (eq. 7680 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp384r1 (eq. 7680 bits RSA) FS 256
danDanV1 commented
What IPs does hstspreload.org send the connection request from?
lgarron commented
hstspreload.org currently runs on App Engine, but you should probably not be looking for specific IPs.
You didn't mention your domain, so I can't debug it. However, the scanner uses the Go standard library. Are you able to run the hstspreload
tool locally?
go get github.com/chromium/hstspreload/...
hstspreload preloadabledomain _______.com
nharper commented
This issue was determined to be caused by the server in question blocking clients if an HTTP request is made without the Accept header.