HTTPoison.Error sending a mail with Brevo : {:options, :incompatible, [verify: :verify_peer, cacerts: :undefined]}

GoulvenClech · July 18, 2023, 1:35pm

Hi everyone,

Recently, our transactional emails won’t launch and return HTTPoison.Error like :
%HTTPoison.Error{reason: {:options, :incompatible, [verify: :verify_peer, cacerts: :undefined]}, id: nil}

I’m using the Brevo API V3. And my guess is that’s a problem with SSL; I currently use [ssl: [{:versions, [:"tlsv1.2"]}]].

Any idea or lead to help me on this case?

Thanks.

UPDATE :
Linked to OTP 26 upgrade. I obtain some progress by changing my request otps like :

  def process_request_options(_options) do
    [
      ssl: [
        verify: :verify_peer,
        cacerts: :public_key.cacerts_get(),
        versions: [:"tlsv1.2"]
      ]
    ]

Now the error is :
%HTTPoison.Error{reason: {:tls_alert, {:handshake_failure, ~c"TLS client: In state certify at ssl_handshake.erl:2140 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}"}}, id: nil}

D4no0 · July 18, 2023, 1:37pm

Have you upgraded to OTP-26? You can read about the new default feature introduced to OTP-26: Erlang/OTP 26 Highlights - Erlang/OTP

GoulvenClech · July 18, 2023, 1:51pm

Thanks @D4no0 , it’s surely that I upgraded recently to OTP 26.

Do you have any resources on how this translated into Elixir?

I suppose it’s something to change in Application.ensure_all_started(:ssl)?

GoulvenClech · July 18, 2023, 2:00pm

I tried :

 config :my_app, MyApp.Mailer,
    [...]
    allowed_tls_versions: [:tlsv1, :"tlsv1.1", :"tlsv1.2"],
    ssl: true,
    ssl_opts: [verify: :verify_peer, cacerts: :public_key.cacerts_get()],

Waiting for deploy on staging to see if it works. But does this seem like the right approach to you?

EDIT: No, sadly it didn’t change anything.

quatermain · July 18, 2023, 2:19pm

We use Finch with Brevo, we recently upgraded to Elixir 1.15.4 and OTP 26.0.2 and it works:

Finch.build(
   :delete,
   "https://api.sendinblue.com/v3/contacts/#{email}",
   [
      {"api-key", api_key()},
      {"content-type", "application/json"}
    ]
  )
 |> Finch.request(PlatformFinch)

 finch 0.16.0
 ssl_verify_fun 1.1.6
``

GoulvenClech · July 18, 2023, 2:26pm

I obtain some progress by changing my request otps like :

  def process_request_options(_options) do
    [
      ssl: [
        verify: :verify_peer,
        cacerts: :public_key.cacerts_get(),
        versions: [:"tlsv1.2"]
      ]
    ]

Now the error is :
%HTTPoison.Error{reason: {:tls_alert, {:handshake_failure, ~c"TLS client: In state certify at ssl_handshake.erl:2140 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}"}}, id: nil}

ruslandoga · July 18, 2023, 2:29pm

@GoulvenClech

Note that for wildcard certs you need to add an additional option, :customize_hostname_check

[
  ssl: [
    verify: :verify_peer,
    cacerts: :public_key.cacerts_get(),
    versions: [:"tlsv1.2"],
    customize_hostname_check: [
      match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
    ]
  ]
]

More info: Erlang standard library: ssl | EEF Security WG (note the depth option as well)

And for :public_key.cacerts_get() to work, you might need to first :public_key.cacerts_load() the certs (e.g. during application startup). Right now in your case it seems to be returning :undefined.

GoulvenClech · July 18, 2023, 2:54pm

It looks like it was that!

Thanks a lot @ruslandoga , I clearly pay my lack of understanding of SSL and how OTP deal with it. I’ll work on that.