Anybody using Cowboy 2.4 with Phoenix in production?

madasebrof · September 22, 2018, 3:16pm

Just curious if folks are using Cowboy 2.x (latest is 2.4) in production.

We suddenly started getting lots of errors from ssl in the logs:

ssl_handshake.erl:1271 generated CLIENT ALERT: Fatal - Bad Certificate

and apparently, these might go away in the latest version of Cowboy:

github.com/ninenines/cowboy

SSL issues

opened 10:02AM - 30 Jun 16 UTC

closed 02:41PM - 01 Jul 16 UTC

MarkNijhof

Hi Loic, We are running Elixir in production based on Cowboy and we see quite r…egularly one of the following errors (crashes) happening, the majority are the "insufficient security" one. I am guessing these are just bots or browsers with outdated SSL versions. - SSL: :certify: ssl_alert.erl:93:Fatal error: bad certificate - SSL: :hello: tls_handshake.erl:118:Fatal error: inappropriate fallback - SSL: :hello: tls_handshake.erl:167:Fatal error: insufficient security - SSL: :hello: tls_handshake.erl:174:Fatal error: protocol version So currently this throws a 500, but I much rather want to return a 405 Not Allowed. Also because this is a crash we get notified via Rollbar which just clutters the log. So since these errors are kind of expected I was wondering if we can hook into the cowboy pipeline early enough to catch these scenarios and return a 405 instead? Is there a reason this is a 500 vs 405?

Right Cowboy currently does not disable renegotiation so this could happen. Cowboy 2 will force disable renegotiation entirely (due to HTTP/2 requirements, and related aforementioned issues).

Thanks in advance!