Copy link to clipboard
Copied
Hello,
From my ExtendScript I try to call to a server over https:
var xmlhttp = new XMLHttpRequest();
xmlhttp.open('GET', 'https://***/api/books', true);
xmlhttp.setRequestHeader('Authorization', 'Basic NDI5MDk...');
xmlhttp.send(null);
if(xmlhttp.status == 200) {
alert(xmlhttp.responseText);
}
The code triggers the following output in the console:
net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Tracking the request content, it seems that ExtendScript uses Version: 3.2 (TLS/1.1) and then Version: 3.1 (TLS/1.0). But looking at the server log on the other side, there is only a single error message:
2016/09/29 11:25:34 [info] 7048#7048: *4396957 SSL_do_handshake() failed (SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher) while SSL handshaking, client: **.**.**.**, server: 0.0.0.0:443
The web server is very stable and well maintained, runs TSL 1.2 and supports all secure ciphers:
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
What is happening here? Is there a problem between TLS 1.0/1.1 on the client and 1.2 on the server side? What would be the appropriate way to handle this problem?
Thank you!
1 Correct answer
It turns out that InDesign's ExtendScript is unable to establish a connection using TLS 1.2. After enabling TLS 1 and 1.1 on our server (while maintaining our A+ rating), everything worked.
Copy link to clipboard
Copied
It turns out that InDesign's ExtendScript is unable to establish a connection using TLS 1.2. After enabling TLS 1 and 1.1 on our server (while maintaining our A+ rating), everything worked.
Copy link to clipboard
Copied
Hi all,
Just a quick note. This might or might not be a workaround for this issue.
I've revisited the old GetURL I wrote many years ago, and made a more modern version which does support https as well as http. All smoke and mirrors. More information and source code on my personal blog:
The 'getURL' is whatever is implemented in the Node.js inside of InDesign - so I suspect it will be able to use more recent TLS versions.
Cheers,
Kris (Rorohiko)