Noticed the behaviour when attempting to access Microsofts Graph API which is likely running on IIS…kind of explains the behaviour…
I cannot connect to the Graph API without using the 18.3 Erlang release, everything above that up to 19.2 just closes the connection before the handshake can finish…
Can test this using Poison and a simple GET to a Microsoft domain:
As far as I can tell the server chokes on the ClientHello message if the TLS version in the record layer doesn’t match the version in the client version field. This is a known area of compatibility issues (see RFC 5246, Appendix E).
If this is indeed the issue, then the workaround of selecting TLSv1.2 as the desired version should work. At least the server should not unceremoniously close the TCP connection (assuming it is configured to support TLSv1.2), though it might still fail with a handshake error. If you have a reproducible example of a connection that fails even when the version is constrained, can you share the details?
As the RFC mentions, there is no easy answer for universal interoperability. It may take several handshake attempts to connect to a ‘broken’ server. HTTPoison does not perform these retries for you, so you’d have to add some logic to your app to try and recover from failed requests.
Worked around the problem by making the HTTP post with HTTPoison and not using the underlying HTTP methods in this OAuth2 library
They both use hackney so figure passing the [ssl: [{:versions, [:'tlsv1.2']}]] as a request option should solve it - but stills gets messed up when making a call using the OAuth2 lib
Building my HTTPoison.post!/4 manually with the correct params+body+headers, and including [ssl: [{:versions, [:'tlsv1.2']}]] as an option appears to work consistently…
The URI I am experiencing problems with is https://login.microsoftonline.com/common/oauth2/token when completing the OAuth flow, and exchanging the access code for an access token.
Might be able to make some fixes to the OAuth library to fix this.
Considering this solved, is working now using Erlang 19.2 rather than <18.3.4 - by manually making post request with HTTPoison
I’ve had a similar issue with the Microsoft Outlook servers https://github.com/Vagabond/gen_smtp/issues/114 The Outlook servers close the connection as soon as an SSL request is sent before a subsequent TLS request. However, the Google Email servers didn’t seem to have this problem. The problem with erlang ssl is that during the tls connection setup it first (incorrectly) sends an SSL request and then tries to send a TLS request. The fix for this is to always pass [{:versions, [:'tlsv1.2']}] as an option while doing ssl connections.
It looks like the issue has been resolved in OTP 20. So the workaround to force the connection to use TLS 1.2 should no longer be needed.
From the release notes:
OTP-13820 Application(s): ssl
*** HIGHLIGHT ***
TLS-1.2 clients will now always send hello messages on
its own format, as opposed to earlier versions that
will send the hello on the lowest supported version,
this is a change supported by the latest RFC.
This will make interoperability with some newer servers
smoother. Potentially, but unlikely, this could cause a
problem with older servers if they do not adhere to the
RFC and ignore unknown extensions.
