SSL connect error

[wmedia]

Insomnia can not connect over SSL to windows server with IIS 8 and Let's encrypt certificate (256 bits, TLS 1.2), it returns Error: SSL connect error
Tried with another RESTClient app to check server configuration and works as spected.

To Reproduce
Steps to reproduce the behavior:

1. Go to new request
2. Insert the rest endpoint in my case to a Win12K server https://api.privateserverdomaincantpublish.com:8443
3. SSL connect error.

• Preparing request to https://api.privateserverdomaincantpublish:8443/
• Using libcurl/7.67.0 OpenSSL/1.1.1c zlib/1.2.11 nghttp2/1.29.0
• Current time is 2020-03-06T14:51:44.508Z
• Disable timeout
• Enable automatic URL encoding
• Disable SSL validation
• Enable cookie sending with jar of 2 cookies
• Hostname api.privateserverdomaincantpublish.com was found in DNS cache
• Trying xx.xx.xx.11:8443...
• TCP_NODELAY set
• Connected to api.privateserverdomaincantpublish.com (xx.xxx.xxx.11) port 8443 (Sidebar Drag-n-Drop #2)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /tmp/insomnia_7.1.1/2017-09-20.pem
• CApath: none
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (OUT), TLS alert, handshake failure (552):
• error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
• Closing connection 2

Expected behavior
Json response

Desktop (please complete the following information):

• OS: Centos 8
• Installation Method: rpm
• App Version 7.1.1
• OpenSSL 1.1.1

[gschier]

Do you still get an error if you disable certificate validation from the app settings?

[IndrekHaav]

I also get the same "SSL connect error" message when trying to connect to a GraphQL API running on Debian + Apache 2.4. Cert is signed by an internal CA, but everything has worked fine previously, and still works fine in other clients (e.g. Postman). Certificate validation is disabled.

To Reproduce
Same as above - create and send a new request.

Timeline:

* Preparing request to https://redacted/api/
* Using libcurl/7.57.0-DEV OpenSSL/1.0.2o zlib/1.2.11 libssh2/1.7.0_DEV
* Current time is 2020-03-19T11:51:09.835Z
* Disable timeout
* Enable automatic URL encoding
* Disable SSL validation
* Enable cookie sending with jar of 2 cookies
* Hostname redacted was found in DNS cache
*   Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Connected to redacted (xx.xx.xx.xx) port 443 (#29)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:\Users\Indrek\AppData\Local\Temp\insomnia_7.1.1\2017-09-20.pem
*   CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection 29

Expected behavior
GraphQL response.

Desktop (please complete the following information):

• OS: Windows 10 1909
• Installation Method: Windows installer
• App Version: 7.1.1

[ianbarker]

I had this with an Nginx server, I found that adding ssl_protocols TLSv1.2 to the vhost config made it work. Previously I only had ssl_protocols TLSv1.3, I'm guessing that Insomnia doesn't support TLSv1.3.

[IndrekHaav]

In my case TLS v1.2 was enabled, but thanks to @ianbarker's comment I poked around in Apache vhost settings and found that the culprit was the SSLCipherSuite directive. It contained a fairly lengthy list of ciphers, and changing the value to HIGH:!aNULL:!MD5 made Insomnia work. I could have probably tweaked it by trial-and-error to add some cipher that works with Insomnia, but since it's a dev environment, that's good enough for me.

[bravequickcleverfibreyarn]

The same – “Let’s Encrypt CA” is not trusted.

In Windows this authority is Intermediate Certification Authorities/Certificates/Les's Encrypt Authority X3 while its issuer is Trusted Root Certification Authorities/DST Root CA X3, thus should be trusted.

[bravequickcleverfibreyarn]

Do you still get an error if you disable certificate validation from the app settings?

@gschier, (At least for me) If validation is switched off, it works. And I did not expect anything else.

[ghost]

@gschier It doesn't work for me got anything else up your pockets?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[bravequickcleverfibreyarn]

Bugs should no be closed by bot.

[quiet-ranger]

I am running v2022.3.0, I also have Certificate validation disabled but I am still getting "SSL connect error". Has anyone found a workaround for this problem?

Incidentally, this simple GET request works find from Chrome Version 101.0.4951.64

Timeline:

• Preparing request to https://localhost:8080/v1/traits
• Current time is 2022-05-31T10:43:25.618Z
• Using default HTTP version
• Disable timeout
• Enable automatic URL encoding
• Disable SSL validation
• Enable cookie sending with jar of 0 cookies
• STATE: INIT => CONNECT handle 0x150092208; line 1789 (connection #-5000)
• Added connection 14. The cache now contains 1 members
• Hostname in DNS cache was stale, zapped
• family0 == v4, family1 == v6
• Trying 127.0.0.1:8080...
• STATE: CONNECT => CONNECTING handle 0x150092208; line 1850 (connection Hooked up content type selection dropdown #14)
• Connected to localhost (127.0.0.1) port 8080 (Hooked up content type selection dropdown #14)
• STATE: CONNECTING => PROTOCONNECT handle 0x150092208; line 1982 (connection Hooked up content type selection dropdown #14)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /var/folders/qb/h1wgqh3x1w1f53lrtxht3qmc0000gp/T/insomnia_2022.3.0/ca-certs.pem
• CApath: none
• Didn't find Session ID in cache for host HTTPS://localhost:8080
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• STATE: PROTOCONNECT => PROTOCONNECTING handle 0x150092208; line 2000 (connection Hooked up content type selection dropdown #14)
• error:1408F10B:SSL routines:ssl3_get_record:wrong version number
• multi_done
• The cache now contains 0 members
• Closing connection 14
• Expire cleared (transfer 0x150092208)

[arashberlin]

Hello there,
I think I have same problems. I get "Error: SSL connect error". insomnia cert validation & validate certs are both disabled.

Tested with insomnia 2022.7.5(build 19.01.2023) and 2023.1.0.beta.1

With windows 10 curl (7.83.1), Postman, VS Code ThunderClient there is no issue to connect and get data.

• Preparing request to https://orbis.bvdinfo.com/api/orbis/swagger
• Current time is 2023-02-03T11:10:02.016Z
• Enable automatic URL encoding
• Using default HTTP version
• Disable SSL validation
• Enable cookie sending with jar of 71 cookies
• Hostname in DNS cache was stale, zapped
• Trying 195.234.162.140:443...
• Connected to orbis.bvdinfo.com (195.234.162.140) port 443 (Workspace Management #1)
• ALPN, offering h2
• ALPN, offering http/1.1
• TLSv1.0 (OUT), TLS header, Certificate Status (22):
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.2 (IN), TLS header, Certificate Status (22):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS header, Certificate Status (22):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS header, Certificate Status (22):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (OUT), TLS header, Unknown (21):
• TLSv1.2 (OUT), TLS alert, handshake failure (552):
• error:0A000172:SSL routines::wrong signature type
• Closing connection 1

[iandunn]

What fixed it for me was adding the domain name to Insomnia Preferences > HTTP Network Proxy > No proxy.

That's necessary for me because I have a SOCKS5 proxy tunnel running on my computer and outbound requests are normally routed through it. I want to bypass that for local servers though.

[yosiasz]

I cant even see some settings in Preferences