SNI support not enabled by default [cloudflare SSL error: tlsv1 alert internal error]
YogSottot opened this issue · 10 comments
dev-lang/tcl-8.6.6
dev-tcltk/tcllib-1.15-r2
dev-tcltk/tls-1.6.7
net-irc/eggdrop-1.8.0
When try link from the https://centmin.sh/
SSL channel "sockdc6a20": error: tlsv1 alert internal error
https://www.rust-lang.org/en-US/
SSL channel "sockdd33e0": error: sslv3 alert handshake failure
I compiled eggdrop-1.6.20 on gentoo
dev-lang/tcl-8.6.6
dev-tcltk/tcllib-1.15-r2
dev-tcltk/tls-1.6.7
Also I compiled eggdrop-1.6.21 and 1.6.20 on debian
tcl 8.6.0+8
tcl-tls 1.6+dfsg-3:
tcllib 1.16-dfsg-2:
libsqlite3-tcl 3.8.7.1-1+deb8u2
The errors absolutely the same.
SSL channel "sock19d9620": error: sslv3 alert handshake failure
SSL channel "sock1a0fe60": error: tlsv1 alert internal error
This is only with sites with cloudflare SSL, other https links works ok.
I can verify the same.
https://gamblersplay.com
https://casinojakten.se
also on Cloudflare.
libtcl8.6:amd64 8.6.1-4ubuntu1
tcl 8.6.0+6ubuntu3
tcl-dev:amd64 8.6.0+6ubuntu3
tcl-tls 1.6+dfsg-3
tcl8.6 8.6.1-4ubuntu1
tcl8.6-dev:amd64 8.6.1-4ubuntu1
tcllib 1.15-dfsg-2
libgnutls-dev 2.12.23-12ubuntu2.5
Solution in a wiki https://wiki.tcl.tk/2630 «Using TLS in 2015 »
CloudFlare Universal SSL uses certificates that have multiple domains in the one certificate.
https://dropbear.xyz/2015/06/08/checking-cloudflare-ssl/
The way that the client tells the server which website it is looking for is Server Name Indication (SNI). As part of the TLS handshaking the client tells the server “I want website www.enc.com.au”.
In tcl-tls you should use -servername option that enabled SNI. (for tcl-tls 1.6.x). In 1.7.11 added the new option -autoservername.
Thanks for reporting and looking for a solution, I'll look into this when I got the chance.
Oh this is great. I was hoping this could be implemented. Thanks @teeli @YogSottot
https://blog.summercat.com/google-blog-and-tls-sni.html might be helpful
Sorry it's taken me a while, but I just pushed a new version (0.5) that should support SNI. It requires TLS package version 1.6.4 or newer and falls back to old behavior for older versions.
I'd appreciate if you could test it and report any problems back here.
% package require tls
1.7.11
eggdrop-1.8.0
Connection to https://centmin.sh/ failed
Connection to https://www.rust-lang.org/en-US/ failed
Connection to https://github.com/teeli/urltitle/issues/6 failed
eggdrop v1.6.20+driftstoned
Connection to https://github.com/teeli/urltitle/issues/6 failed
Connection to https://www.rust-lang.org/en-US/ failed
Connection to https://centmin.sh/news.html failed
Test eggdrop v1.6.20+driftstoned with etitle.script
> https://centmin.sh/news.html
[ News - CentminMod.com LEMP Nginx web stack for CentOS ]
https://www.rust-lang.org/en-US/
[ The Rust Programming Language ]
https://github.com/teeli/urltitle/issues/6
[ SNI support not enabled by default [cloudflare SSL error: tlsv1 alert internal error] · Issue #6 · teeli/urltitle · GitHub ]
So, i suppose there is no problem with my setup.
ok, you just should change
if {[package vcompare $tlsVersion 1.7.11] >= 0} {
# tls version 1.7.11 should support autoservername
::tls::socket -autoservername {*}$opts $host $port
to
if {[package vcompare $tlsVersion 1.7.11] >= 0} {
# tls version 1.7.11 should support autoservername
::tls::socket -autoservername true {*}$opts $host $port
Then all links works ok
Thanks. I don't have tls 1.7.11 to test with, so that was a bit of shot in the dark (and apparently I was a bit hasty with docs. I've added true to -autoservername now.
Works great. Big thanks for updating it, really appreciate it!
One really minor suggestion for a next version - change 'putserv' to 'puthelp' - the puthelp queue is supposed to be for stuff like privmsg, putserv might clog op a busy bot's queues. But that isn't happening in my case, so I'm just mentioning it as an aside.
Wow, isn't it great that we have an eggdrop urltitle grabber that supports SNI? 💯!