alexa API service can not connect to caddyserver with TLS issues
thown error is from http.stdlib when hs.suite== nil
4. Error messages and/or full log output:
meedia@meedia-2 caddy % caddy run
2021/03/13 05:08:35.704 INFO using adjacent Caddyfile
2021/03/13 05:08:35.706 INFO admin admin endpoint started {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2021/03/13 05:08:35.707 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0x140003d19d0"}
2021/03/13 05:08:35.707 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2021/03/13 05:08:35.707 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2021/03/13 05:08:39.013 DEBUG http starting server loop {"address": "[::]:443", "http3": false, "tls": true}
2021/03/13 05:08:39.013 DEBUG http starting server loop {"address": "[::]:80", "http3": false, "tls": false}
2021/03/13 05:08:39.013 INFO http enabling automatic TLS certificate management {"domains": ["services.28seven.com"]}
2021/03/13 05:08:39.015 INFO tls cleaned up storage units
2021/03/13 05:08:39.020 INFO autosaved config {"file": "/Users/meedia/Library/Application Support/Caddy/autosave.json"}
2021/03/13 05:08:39.020 INFO serving initial configuration
2021/03/13 05:08:42.022 DEBUG http.stdlib http: TLS handshake error from 72.21.217.41:11286: tls: no cipher suite supported by both client and server
^C2021/03/13 05:08:45.779 INFO shutting down {"signal": "SIGINT"}
2021/03/13 05:08:45.782 INFO tls.cache.maintenance stopped background certificate maintenance {"cache": "0x140003d19d0"}
2021/03/13 05:08:45.783 INFO admin stopped previous server
2021/03/13 05:08:45.783 INFO shutdown done {"signal": "SIGINT"}
5. What I already tried:
Validated that endpoint is properly exposed and functioning from the browser
Still working to try to get this figured out. I am convinced that this is an Alexa api service quark but I’m very surprised that Caddy can’t provide any more useful log information to help me debug. Checking the forms it seems like someone else experienced this same issue with apple pay.
If you can find out which ciphers Alexa’s client supports you can use the tls directive to enable it as long as it’s in that supported list, I think.
As it stands I’m not sure Caddy can give you any more detailed information, since it’s just a matter of Alexa’s client sending one cipher list, Caddy comparing it to its own cipher list, and not finding any matches.
Looking at the alexa API service it appears that there is overlap between what caddy offers and their configuration. TLS_AES_128_GCM_SHA256 should be a shared TLS 1.3 suite
Looking at comms with wireshark Alexa is always sending with TLS 1.2 so i updated my config to accept both. Looking at the sent cipher suites, there is definitely a overlap between what Caddy supports and what is being sent
so i changed my config to only allow 1.2 (with protocols tls1.2 tls1.2)
and now i have no SSL capabilities
I installed caddy from homebrew. I did the same install process on a m1 macmini and intel macbook pro, both are showing the same issue. could my install be bad?
nope got ahead of myself. tls 1.2 wasn’t working because of a cipher mismatch. once i commented out the TLS_AES_128_GCM_SHA256 which is a TLS 1.3 cipher everything came back to life
so it def came down to me not understanding that not all supported ciphers were enabled by default.
If anyone ever gets stuck with this again, Wireshark was very helpful to understand what should be supported by the connecting server. Alexa does use some older algorithms and are classified as weak so i get why its not enabled by default
right now I have a whole bunch of specified ciphers but I will likely review all my connections then pair that list down to get rid of some of the less secure algorithms.
Suggested documentation updates
make clearer in the documentation that not all ciphers are enabled by default
docs say Note that cipher suites are not customizable with TLS 1.3. I read that as “the ciphers directive will not work if you have tls 1.3 enabled”. it would be helpful to explicitly say that you can customize the list of enabled tls1.2 ciphers even if you are using 1.3