go
network_error
ai_generated
true
tls: first record does not look like a TLS handshake
ID: go/tls-handshake-error-certificate-signed-by-unknown-authority
88%Fix Rate
82%Confidence
1Evidence
2024-01-10First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| go1.20 | active | — | — | — |
| go1.21 | active | — | — | — |
| go1.22 | active | — | — | — |
| go1.23 | active | — | — | — |
Root Cause
The server is not speaking TLS on the expected port, often because it's using plain HTTP or a different protocol, or the client is connecting to the wrong port.
generic中文
服务器在预期端口上未使用 TLS 通信,通常是因为它使用纯 HTTP 或其他协议,或者客户端连接到了错误的端口。
Official Documentation
https://pkg.go.dev/crypto/tls#Conn.HandshakeWorkarounds
-
95% success Verify the server's protocol: use curl -v http://host:port to check if it's plain HTTP, then switch to http:// instead of https://
Verify the server's protocol: use curl -v http://host:port to check if it's plain HTTP, then switch to http:// instead of https://
-
85% success If the server uses a non-standard TLS port, configure the correct port in the URL
If the server uses a non-standard TLS port, configure the correct port in the URL
中文步骤
Verify the server's protocol: use curl -v http://host:port to check if it's plain HTTP, then switch to http:// instead of https://
If the server uses a non-standard TLS port, configure the correct port in the URL
Dead Ends
Common approaches that don't work:
-
Adding InsecureSkipVerify: true to the TLS config
95% fail
This only skips certificate verification, not the protocol mismatch; the server still doesn't speak TLS.
-
Setting a custom RootCAs pool
90% fail
Certificate authority configuration doesn't fix the fundamental protocol issue.
-
Using a different TLS version like TLS 1.3
85% fail
The error is about the initial handshake record, not the version negotiation.