question

jpazmino avatar image
jpazmino asked

CloudScript having http request issues to TSL 1.2

We were developing a feature in which the CloudScript code has to reach an external service to get additional information using the "http" object. The request was constantly failing until we noticed the only TLS version enabled in our servers was TLS 1.2.

We decided to enabled TLS 1.1 and the requests started working again. But now TLS 1.1 is going to get deprecated. Our business model requires us to disable TLS 1.1 but we don't want this services to stop working. Is there anything we can do?

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Seth Du avatar image
Seth Du answered

I was trying https://fancyssl.hboeck.de/, and it only returns "No response" when TLS 1.2 is disabled on Postman. This website returns correct contentes in the Cloud Script.

1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jpazmino avatar image jpazmino commented ·

It was actually an issue with the Nginx cipher we used. Once we matched those to the ones used by PlayFabs Windows Server machines it all worked.

0 Likes 0 ·
Seth Du avatar image
Seth Du answered

Cloud Script should support TLS 1.2. Can you try to send http request to some TLS 1.2 testing website?

In addition, are there any specific error messages returning?

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jpazmino avatar image
jpazmino answered

This is what I get back after making a request:

{
  "code": 200,
  "status": "OK",
  "data": {
    "FunctionName": "makeHTTPRequest",
    "Revision": 3,
    "Logs": [
      {
        "Level": "Error",
        "Message": "HTTP request error",
        "Data": {
          "url": "https://<URL_HERE>",
          "method": "get",
          "content": "{}",
          "contentType": "application/json",
          "headers": {
            "X-MyCustomHeader": "Some Value"
          },
          "result": {
            "responseContent": null,
            "httpStatus": null,
            "httpStatusCode": 0,
            "requestError": "SecureChannelFailure"
          },
          "httpRequestError": "SecureChannelFailure"
        }
      }
    ],
    "ExecutionTimeSeconds": 0.3207837,
    "ProcessorTimeSeconds": 0.0,
    "MemoryConsumedBytes": 26136,
    "APIRequestsIssued": 0,
    "HttpRequestsIssued": 1,
    "Error": {
      "Error": "CloudScriptHTTPRequestError",
      "Message": "The script made an external HTTP request, which returned an error. See the Error logs for details.",
      "StackTrace": "Error\n    at Object.http_request (Script:224:28)\n    at Object.request (Script:263:35)\n    at handlers.makeHTTPRequest (35AF7-main.js:14:25)\n    at Object.invokeFunction (Script:116:33)"
    }
  }
}
4 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jpazmino avatar image jpazmino commented ·

This is what I got from OPS: "the issue was with the ssl handshake (the version of TLS along with the cipher suites cause this)"

0 Likes 0 ·
Seth Du avatar image Seth Du ♦ jpazmino commented ·

I am not expert on ssl, but according to the documentation I've found, usually we need to fix this issue on the server side when errors like "Cipher Suite used by client is not supported by server" is reported, and in this scenario, Cloud Script should be the client.

I wrote a http request to a TLS 1.2 testing website on Cloud Script and it returns a successful callback.

0 Likes 0 ·
jpazmino avatar image jpazmino Seth Du ♦ commented ·

Is it a TLS 1.2 only server? I just want to confirm is not falling back to another protocol version. In our case it worked if both 1.1 and 1.2 where enabled. But not when 1.2 was the only option. Thanks for the reply BTW

0 Likes 0 ·
jpazmino avatar image jpazmino commented ·

Additionally OPS said: "the issue was with the ssl handshake (the version of tls along with the cipher suites cause this)"

And gave me this piece of information on the TLS error.


SSL_do_handshake() failed (SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL handshaking, client: 34.213.208.16, server: 0.0.0.0:443

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.