:SSL Middlebox Compatibility Issues with FIPS Mode, mix deps.get fails

xk1000 · December 16, 2025, 5:31pm

Hello!

I’m working on a piece of software with the requirement that I use a FIPS-approved encryption module. I’ve built OpenSSL 3.6.0 with 3.1.2 as a FIPS provider:

$ openssl list --providers
Providers:
  fips
    name: OpenSSL FIPS Provider
    version: 3.1.2
    status: active

Erlang has also been built with FIPS enabled:

Erlang/OTP 28 [erts-16.2] [source] [64-bit] [smp:20:20] [ds:20:20:10] [async-threads:1] [jit:ns]

Eshell V16.2 (press Ctrl+G to abort, type help(). for help)
1> application:load({application, crypto, [{env, [{fips_mode, true}]}]}), application:start(crypto).
ok
2> crypto:info_fips().
enabled

The problem is that mix deps.get refuses to work, and I kinda feel like it’s a misconfiguration of repo.hex.pm, but I really have no idea. I can successfully make requests to it as long as I manually pass middlebox_comp_mode: false, but there’s I don’t know if it’s even possible to do that with things like mix and libraries I need to use.

Nrap is just to test this issue, no other code except what’s included in a default mix project

`mix.exs`

defmodule Nrap.MixProject do
  use Mix.Project

  def project do
    [
      app: :nrap,
      version: "0.1.0",
      elixir: "~> 1.19",
      start_permanent: Mix.env() == :prod,
      deps: deps()
    ]
  end

  # Run "mix help compile.app" to learn about applications.
  def application do
    [
      extra_applications: [:logger]
    ]
  end

  # Run "mix help deps" to learn about dependencies.
  defp deps do
    [
    {:req, "~> 0.5.16"}
    ]
  end
end

`config/config.exs`

import Config

config :crypto,
  fips_mode: true

$ `mix deps.get`

Failed to fetch record for telemetry from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Failed to fetch record for finch from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Failed to fetch record for hpax from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Failed to fetch record for mint from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Failed to fetch record for mime from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Failed to fetch record for nimble_options from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Failed to fetch record for req from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Failed to fetch record for nimble_pool from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Failed to fetch record for jason from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Resolving Hex dependencies...
Failed to fetch record for plug from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Failed to fetch record for brotli from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Failed to fetch record for ezstd from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Failed to fetch record for nimble_csv from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Failed to fetch record for decimal from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}
Failed to fetch record for castore from registry (using cache instead)
{:failed_connect, [{:to_address, {~c"repo.hex.pm", 443}}, {:inet, [:inet], {:options, {:insufficient_crypto_support, {:"tlsv1.1", {:versions, [:"tlsv1.2", :"tlsv1.1", :tlsv1]}}}}}]}

`iex -S mix`

Breaks added for readability

Erlang/OTP 28 [erts-16.2] [source] [64-bit] [smp:20:20] [ds:20:20:10] [async-threads:1] [jit:ns]

Interactive Elixir (1.19.4) - press Ctrl+C to exit (type h() ENTER for help)

iex(1)> Req.get("https://google.com")

11:17:11.770 [debug] redirecting to https://www.google.com/
{:ok,
 %Req.Response{
   status: 200,
   ...
 }}

iex(2)> Req.get("https://repo.hex.pm")

11:18:00.602 [warning] Description: ~c"Failed to assert middlebox server message"
     Reason: [missing: {:change_cipher_spec, 1}]
   Location: tls_client_connection_1_3.erl:344


11:18:00.604 [notice] TLS :client: In state :hello_retry_middlebox_assert at ssl_gen_statem.erl:755 generated CLIENT ALERT: Fatal - Unexpected Message
 - {:unexpected_msg,
 {:internal,
  {:server_hello, {3, 3},
   <<...>>,
   <<...>>,
   <<...>>,
   %{
     server_hello_selected_version: {:server_hello_selected_version, {3, 4}},
     pre_shared_key: :undefined,
     key_share: {:key_share_server_hello,
      {:key_share_entry, :secp384r1,
       <<...>>}}
   }}}}
{:error,
 %Req.TransportError{
   reason: {:tls_alert,
    {:unexpected_message,
     ~c"TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:755 generated CLIENT ALERT: Fatal - Unexpected Message\n {unexpected_msg,\n     {internal,\n         {server_hello,\n             {3,3},\n             <<...>>,\n             <<...>>,\n             <<19,1>>,\n             \#{server_hello_selected_version =>\n                   {server_hello_selected_version,{3,4}},\n               pre_shared_key => undefined,\n               key_share =>\n                   {key_share_server_hello,\n                       {key_share_entry,secp384r1,<<...>>}}}}}}"}}

iex(3)> Req.get("https://repo.hex.pm", connect_options: [transport_opts: [middlebox_comp_mode: false]])
{:ok,
 %Req.Response{
   status: 200,
   headers: %{
     "connection" => ["keep-alive"],
     "content-type" => ["text/plain; charset=utf8"],
     "date" => ["Tue, 16 Dec 2025 17:19:54 GMT"],
     "x-served-by" => ["cache-chi-kigq8000103-CHI"]
   },
   body: "Everything's Okay",
   trailers: %{},
   private: %{}
 }}

Some related issues that I haven’t been able to pull anything useful from:

github.com/erlang/otp

TLS retry_middlebox_assert issue after upgrading to erlang 26.0.2

opened 11:29AM - 23 Aug 23 UTC

closed 01:05PM - 31 Aug 23 UTC

nulian

team:PS not a bug bug

After I upgraded our project to erlang 26.0.2 i'm sometimes randomly getting `he…llo_retry_middlebox_assert` errors when sending mails through smtp client that uses hackney The error doesn't happen every time it seems very random if it works or not. Even got 2 different errors while trying to send mails and other times it works without any error. Did see this being talked about in https://github.com/erlang/otp/issues/6807 but not sure how I can configure or change something that it works consistent again like it did in erlang 25.3.2.5 The mailing domain is of an external service we use so we don't have control on their ssl configuration. Using domain smtp.flowmailer.net and see in the result it get's converted to front.flowmailer.net Error ``` [notice] TLS :client: In state :hello_retry_middlebox_assert at ssl_gen_statem.erl:807 generated CLIENT ALERT: Fatal - Unexpected Message - {:unexpected_msg, {:internal, {:server_hello, {3, 3}, <<102, 142, 172, 37, 33, 66, 144, 99, 163, 77, 88, 13, 149, 80, 9, 91, 203, 19, 203, 86, 92, 72, 159, 173, 249, 71, 170, 255, 179, 246, 78, 237>>, <<216, 127, 10, 162, 43, 134, 143, 46, 79, 122, 44, 98, 62, 240, 44, 220, 150, 220, 86, 18, 161, 174, 72, 237, 76, 13, 207, 22, 52, 172, 190, 201>>, <<19, 2>>, 0, %{ server_hello_selected_version: {:server_hello_selected_version, {3, 4}}, key_share: {:key_share_server_hello, {:key_share_entry, :secp256r1, <<4, 166, 1, 55, 56, 87, 244, 17, 150, 154, 47, 234, 86, 249, 89, 189, 216, 24, 208, 96, 14, 137, 146, 80, 76, 187, 254, 120, 35, 97, 135, 46, ...>>}}, pre_shared_key: :undefined }}}} 12:58:50.957 [warning] Description: ~c"Failed to assert middlebox server message" Reason: [missing: {:change_cipher_spec, 1}] 12:58:50.958 [notice] TLS :client: In state :hello_retry_middlebox_assert at ssl_gen_statem.erl:807 generated CLIENT ALERT: Fatal - Unexpected Message - {:unexpected_msg, {:internal, {:server_hello, {3, 3}, <<74, 149, 190, 159, 255, 55, 143, 79, 51, 187, 60, 235, 227, 156, 173, 152, 4, 199, 1, 124, 110, 59, 163, 190, 84, 61, 188, 99, 232, 198, 152, 9>>, <<216, 199, 168, 59, 78, 40, 179, 187, 167, 173, 108, 192, 17, 175, 182, 98, 249, 106, 90, 140, 243, 154, 87, 236, 234, 43, 99, 150, 34, 6, 125, 206>>, <<19, 2>>, 0, %{ server_hello_selected_version: {:server_hello_selected_version, {3, 4}}, key_share: {:key_share_server_hello, {:key_share_entry, :secp256r1, <<4, 254, 3, 61, 151, 111, 56, 96, 55, 204, 219, 198, 72, 55, 169, 181, 89, 106, 162, 229, 218, 149, 165, 136, 111, 111, 32, 109, 117, 229, 218, 90, ...>>}}, pre_shared_key: :undefined }}}} {:network_failure, ~c"front.flowmailer.net", {:error, :einval}} ```

github.com/elixir-lang/elixir

`mix local.hex`fails with TLS 1.3. middlebox error

opened 03:08PM - 24 Mar 25 UTC

closed 09:07PM - 24 Mar 25 UTC

kenny-evitt

### Elixir and Erlang/OTP versions ``` Erlang/OTP 27 [erts-15.2.2] [source] [64…-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] Elixir 1.18.2 (compiled with Erlang/OTP 27) ``` ### Operating system Ubuntu 16.04.2 LTS ### Current behavior I'm setting up a new CI/CD server for this project and the shell command in the CI/CD pipeline that's failing is: ``` time mix local.hex --force --if-missing ``` From the log for that command: ``` $ time mix local.hex --force --if-missing ... ** (Mix) httpc request failed with: {:failed_connect, [{:to_address, {~c"builds.hex.pm", 443}}, {:inet, [:inet], {:tls_alert, {:unexpected_message, ~c"TLS client: In state hello_retry_middlebox_assert at ssl_gen_statem.erl:781 generated CLIENT ALERT: Fatal - Unexpected Message\n {unexpected_msg,\n {internal,\n {server_hello,\n {3,3},\n <<4,116,235,26,246,203,137,210,46,130,57,151,...>>,\n <<86,181,141,85,247,100,159,84,31,29,125,...>>,\n <<19,1>>,\n \#{server_hello_selected_version =>\n {server_hello_selected_version,{3,4}},\n pre_shared_key => undefined,\n key_share =>\n {key_share_server_hello,\n {key_share_entry,secp384r1,<<4,201,167,...>>}}}}}}"}}}]} Could not install Hex because Mix could not download metadata at https://builds.hex.pm/installs/hex-1.x.csv. Alternatively, you can compile and install Hex directly with this command: $ mix archive.install github hexpm/hex branch latest ``` The server isn't behind a proxy and I was able to download the file `https://builds.hex.pm/installs/hex-1.x.csv` on the server using `curl`. What seem to be relevant issues for Erlang/OTP: - [TLS 1.3 middlebox incompatibilities · Issue #6772 · erlang/otp](https://github.com/erlang/otp/issues/6772) - [Failed to assert middlebox server message in ssl:connect on OTP 26 and 27 · Issue #8470 · erlang/otp](https://github.com/erlang/otp/issues/8470) ### Expected behavior `mix local.hex` should successfully install Hex.

github.com/erlang/otp

OTP-24.3.4.3 `{unexpected_msg,{internal,{encrypted_extensions,#{}}}}`

opened 09:30AM - 25 Aug 22 UTC

closed 01:38PM - 07 Sep 22 UTC

wojtekmach

team:PS in progress bug

**Describe the bug** On OTP-24.3.4.3 I noticed the error below. OTP-24.3.4.2,… or other versions, didn't have such behaviour. **To Reproduce** ``` $ erl 1> ssl:start(), ssl:connect('elixir-lang.org', 443, []). =WARNING REPORT==== 25-Aug-2022::11:28:04.717049 === Description: "Authenticity is not established by certificate path validation" Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing" =NOTICE REPORT==== 25-Aug-2022::11:28:04.811253 === TLS client: In state hello_middlebox_assert at ssl_gen_statem.erl:736 generated CLIENT ALERT: Fatal - Unexpected Message - {unexpected_msg,{internal,{encrypted_extensions,#{}}}} {error,{tls_alert,{unexpected_message,"TLS client: In state hello_middlebox_assert at ssl_gen_statem.erl:736 generated CLIENT ALERT: Fatal - Unexpected Message\n {unexpected_msg,{internal,{encrypted_extensions,#{}}}}"}}} ``` **Expected behavior** No error. **Affected versions** 24.3.4.3

github.com/erlang/otp

TLS 1.3 middlebox incompatibilities

opened 01:37AM - 02 Feb 23 UTC

closed 08:35AM - 10 Feb 23 UTC

dotsimon

team:PS bug

There are two related bugs - one server side, one client side. **Describe the… server bug** OTP 25.? changes the SSL server behaviour in deciding if/when to send `change_cipher_spec` The simplistic explanation of that being a _client_ problem given in #6374 ignores the real world. Although [RFC 8446](https://www.rfc-editor.org/rfc/rfc8446) D.4 describes a method for "partially negotiated" middlebox compatibility, it also states: > Either side can send `change_cipher_spec` at any time during the handshake Furthermore, section 5 states an implementation receiving `change_cipher_spec` > MUST simply drop it without further processing For this reason many servers send `change_cipher_spec` regardless - OTP 24 is an example, as is www.google.com The bug is being too pedantic in interpreting D.4, introducing a breaking change for cases where the clients can't (easily) be changed. **Describe the client bug** OTP 25.2 and also 24.3.4.8 have the change introduced for #6241 The problem is that this change violates the handling of `change_cipher_spec` stated in section 5. A TLS 1.3 client **MUST** drop `change_cipher_spec` **To Reproduce** Connect to an OTP 24 server or, you know, the internet in general ```erlang 1> ssl:start(), ssl:connect("www.google.com", 443, [{verify,verify_none},{middlebox_comp_mode,false}], 1000). =NOTICE REPORT==== 1-Feb-2023::17:29:17.067186 === TLS client: In state wait_ee at ssl_gen_statem.erl:738 generated CLIENT ALERT: Fatal - Unexpected Message - {unexpected_msg,{internal,{change_cipher_spec,<<1>>}}} {error,{tls_alert,{unexpected_message,"TLS client: In state wait_ee at ssl_gen_statem.erl:738 generated CLIENT ALERT: Fatal - Unexpected Message\n {unexpected_msg,{internal,{change_cipher_spec,<<1>>}}}"}}} ``` **Expected behavior** - Regardless of `middlebox_comp_mode` the client **MUST** ignore `change_cipher_spec` - The server should send `change_cipher_spec` when `middlebox_comp_mode := true` for greater compatibility. In any case the behavioural change should have been clearly documented. **Affected versions** OTP 25.2 and OTP 24.4.3.8

Sorry if this is too much!

I would really appreciate any help on this, I’m a bit stuck

edit:

On further review this probably isnt relevant to us after all, as SC.L2-3.13.11 does not require the application to use FIPS-approved modules internally. I hope this helps some other poor soul out there.

:SSL Middlebox Compatibility Issues with FIPS Mode, mix deps.get fails

mix.exs

config/config.exs

$ mix deps.get

iex -S mix

`mix.exs`

`config/config.exs`

$ `mix deps.get`

`iex -S mix`