Hi there,
I’ve encountered ssl handshake issue, details:
Elixir 1.4.2, Erlang 19.3
code:
HTTPoison.get("https://api.searchads.apple.com/...", [], [ssl: [keyfile: "...pem", certfile: "...cert.pem", ]])
# [error] SSL: :certify: tls_connection.erl:715:Fatal error: handshake failure - malformed_handshake_data
This specific query works perfectly fine via curl and python.
After investigating a bit (wireshark etc), the exact issue was found: server wants specifically TLS_RSA_WITH_AES_128_GCM_SHA256
… aaand elixir/erlang do not list such thing in its handshake
:ssl.cipher_suites(:openssl)
['ECDHE-ECDSA-AES256-GCM-SHA384', ...] #- no mentions of required chipher
:ssl.cipher_suites(:erlang)
[{:ecdhe_ecdsa, :aes_256_gcm, :null, :sha384},
{:ecdhe_rsa, :aes_256_gcm, :null, :sha384},
...
{:rsa, :aes_128_gcm, :null, :sha256} # <-- that's it
Also, present in the source code: https://github.com/erlang/otp/blob/maint-19/lib/ssl/src/ssl_cipher.erl#L703
Still, i can’t switch it on:
... , versions: [:'tlsv1'], ciphers: ["TLS-RSA-WITH-AES-128-GCM-SHA256"] # -> same error
... , versions: [:'tlsv1'], ciphers: ["TLS_RSA_WITH_AES_128_GCM_SHA256"] # -> same error
... , versions: [:'tlsv1'], ciphers: [{:rsa, :aes_128_gcm, :null, :sha256}] # -> same error
... , ciphers: [{:rsa, :aes_128_gcm, :null, :sha256}] # -> same error
etc
Wireshark confirms elixir/erlang still sending list of cipher suits that not intersect with desired cipher (weirdly, it is different a bit each time, adding/removing some useless outdated ciphers).
Behavior confirmed on OSX brew installation and linux docker one (alpine)
Any thoughts how to proceed?