harmon25
18.3.4 + Erlang TLS1.2 [+ IIS] Issues
There is a bug in Erlang when establishing connection to servers with specific SSL/TLS configurations, more commonly IIS servers it appears…
Links:
Noticed the behaviour when attempting to access Microsofts Graph API which is likely running on IIS…kind of explains the behaviour…
I cannot connect to the Graph API without using the 18.3 Erlang release, everything above that up to 19.2 just closes the connection before the handshake can finish…
Can test this using Poison and a simple GET to a Microsoft domain:
HTTPoison.get!("https://graph.microsoft.io/en-us/docs")
The HTTPoison readme mentions broken ssl in Erlang 19 - and suggests:
HTTPoison.get!("https://graph.microsoft.io/en-us/docs", [], [ ssl: [{:versions, [:'tlsv1.2']}] ])
This does not always seem to help…
Anyone else experience this?
Am not too familiar with the underlying TLS implementation in Erlang, and it is a bit over my head to try and fix myself…
This should be reported to Erlang devs to look into, however not sure if I can effectively articulate it.
Any help much appreciated!
Marked As Solved
voltone
Hackney expects SSL options to be passed in the :ssl_options key. See https://github.com/benoitc/hackney/blob/master/doc/hackney.md#request-5
Try this:
OAuth2.Client.get_token(..., [ssl_options: [versions: [:'tlsv1.2']]])
Also Liked
voltone
As far as I can tell the server chokes on the ClientHello message if the TLS version in the record layer doesn’t match the version in the client version field. This is a known area of compatibility issues (see RFC 5246, Appendix E).
If this is indeed the issue, then the workaround of selecting TLSv1.2 as the desired version should work. At least the server should not unceremoniously close the TCP connection (assuming it is configured to support TLSv1.2), though it might still fail with a handshake error. If you have a reproducible example of a connection that fails even when the version is constrained, can you share the details?
As the RFC mentions, there is no easy answer for universal interoperability. It may take several handshake attempts to connect to a ‘broken’ server. HTTPoison does not perform these retries for you, so you’d have to add some logic to your app to try and recover from failed requests.
voltone
It looks like the issue has been resolved in OTP 20. So the workaround to force the connection to use TLS 1.2 should no longer be needed.
From the release notes:
OTP-13820 Application(s): ssl
*** HIGHLIGHT ***
TLS-1.2 clients will now always send hello messages on
its own format, as opposed to earlier versions that
will send the hello on the lowest supported version,
this is a change supported by the latest RFC.
This will make interoperability with some newer servers
smoother. Potentially, but unlikely, this could cause a
problem with older servers if they do not adhere to the
RFC and ignore unknown extensions.
minhajuddin
I’ve had a similar issue with the Microsoft Outlook servers Unable to send email using office365 smtp servers · Issue #114 · gen-smtp/gen_smtp · GitHub The Outlook servers close the connection as soon as an SSL request is sent before a subsequent TLS request. However, the Google Email servers didn’t seem to have this problem. The problem with erlang ssl is that during the tls connection setup it first (incorrectly) sends an SSL request and then tries to send a TLS request. The fix for this is to always pass [{:versions, [:'tlsv1.2']}] as an option while doing ssl connections.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








