Cloudflare Developers•4mo ago

Encountering thousands of TLS handshake errors.

Using a go https server with a cloudflare origin certificate, i've never encountered any connection issues, however when i review request logs for my server, i notice several thousand failed tls handshake errors which look like this: [Info] 01:50:09 server.go:3212: http: TLS handshake error from 162.158.255.138:29083: EOF of course the cloudflare ip can vary. if anyone knows what could cause this issue i would be very grateful to hear any solutions to this problem.

4 Replies

Idle•4mo ago

as a side note, the usual network traffic for my domain lies within 600 requests per day, not 3000+ 🤔

vale•4mo ago

https://github.com/golang/go/issues/61721 Might be related to the ciphers in use?

GitHub

net/http: EOF during TLS handshake · Issue #61721 · golang/go

The reported EOF error, happens when tls.ClientAuth is set to tls.VerifyClientCertIfGiven - if no certificate is provided or request comes from any browser it throws this error, and it should not g...

vale•4mo ago

https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/ Also might be worth checking this out

The Cloudflare Blog

The complete guide to Go net/http timeouts

Idle•4mo ago

i havent specified any ciphers. now ive specified any ECDH ciphers since the origin certificate uses an elliptic key, but i still run into the same EOF tls handshake error previous:

var s = &http.Server{
        Addr:    ":443",
        Handler: &middleware.Handler{},
        TLSConfig: &tls.Config{
            MinVersion:         tls.VersionTLS13,
            InsecureSkipVerify: false,
        },
        ErrorLog: log.Default(),
    }

var s = &http.Server{
        Addr:    ":443",
        Handler: &middleware.Handler{},
        TLSConfig: &tls.Config{
            MinVersion:         tls.VersionTLS13,
            InsecureSkipVerify: false,
        },
        ErrorLog: log.Default(),
    }

current:

var Ciphers = []uint16{
    tls.TLS_AES_256_GCM_SHA384,
    tls.TLS_AES_128_GCM_SHA256,
    tls.TLS_CHACHA20_POLY1305_SHA256,
    
    tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
    tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
}

var s = &http.Server{
        Addr:    ":443",
        Handler: &middleware.Handler{},
        TLSConfig: &tls.Config{
            MinVersion:         tls.VersionTLS13,
            InsecureSkipVerify: false,
            ClientAuth:         tls.NoClientCert,
            CipherSuites:       Ciphers,
        },
        ErrorLog: log.Default(),
    }

var Ciphers = []uint16{
    tls.TLS_AES_256_GCM_SHA384,
    tls.TLS_AES_128_GCM_SHA256,
    tls.TLS_CHACHA20_POLY1305_SHA256,
    
    tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
    tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
}

var s = &http.Server{
        Addr:    ":443",
        Handler: &middleware.Handler{},
        TLSConfig: &tls.Config{
            MinVersion:         tls.VersionTLS13,
            InsecureSkipVerify: false,
            ClientAuth:         tls.NoClientCert,
            CipherSuites:       Ciphers,
        },
        ErrorLog: log.Default(),
    }

Gaming

Programming

Encountering thousands of TLS handshake errors.