TLS 1.3 has been out for a little over a year now, but it has been unavailable in Phoenix due to erlang’s handling of ssl. With the most recent version of erlang released (22.2.3) these issues should now be solved. I’ve spent a bit of time going down the rabbit hole of getting our servers to run the protocol so our end users can get better performance and security. If you’d like to upgrade follow the directions below and let me know in the comments if you run into any issues.
YOU MUST BE RUNNING ERLANG 22.2.3 OR THIS WILL NOT WORK
Within your endpoint configuration copy/paste the following code within the
https: [ ... honor_cipher_order: true, ciphers: [ 'TLS_AES_128_GCM_SHA256', 'TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-CHACHA20-POLY1305', 'ECDHE-RSA-CHACHA20-POLY1305', 'DHE-RSA-AES128-GCM-SHA256', 'DHE-RSA-AES256-GCM-SHA384' ], eccs: [ :x25519, :secp256r1, :secp384r1 ], secure_renegotiate: true, reuse_sessions: true, versions: [:"tlsv1.3", :"tlsv1.2"], ... ]
Cipher and eccs are based off of the work done in OWASP Cipher String Cheat
Sheet and Mozilla’s Server Side TLS v5.3. This should give you compatibility with almost all modern devices and should lead to an A+ rating in SSL Labs and Immuniweb
Let me know if you have any questions or run into any problems if you use this config for your project.