tomciopp

tomciopp

Using TLS 1.3 with Phoenix

TLS 1.3 has been out for a little over a year now, but it has been unavailable in Phoenix due to erlang’s handling of ssl. With the most recent version of erlang released (22.2.3) these issues should now be solved. I’ve spent a bit of time going down the rabbit hole of getting our servers to run the protocol so our end users can get better performance and security. If you’d like to upgrade follow the directions below and let me know in the comments if you run into any issues.

YOU MUST BE RUNNING ERLANG 22.2.3 OR THIS WILL NOT WORK

Within your endpoint configuration copy/paste the following code within the :https keyword

   https: [
     ...
      honor_cipher_order: true,
      ciphers: [
        'TLS_AES_128_GCM_SHA256',
        'TLS_AES_256_GCM_SHA384',
        'TLS_CHACHA20_POLY1305_SHA256',
        'ECDHE-ECDSA-AES128-GCM-SHA256',
        'ECDHE-RSA-AES128-GCM-SHA256',
        'ECDHE-ECDSA-AES256-GCM-SHA384',
        'ECDHE-RSA-AES256-GCM-SHA384',
        'ECDHE-ECDSA-CHACHA20-POLY1305',
        'ECDHE-RSA-CHACHA20-POLY1305',
        'DHE-RSA-AES128-GCM-SHA256',
        'DHE-RSA-AES256-GCM-SHA384'
      ],
      eccs: [
        :x25519,
        :secp256r1,
        :secp384r1
      ],
      secure_renegotiate: true,
      reuse_sessions: true,
      versions: [:"tlsv1.3", :"tlsv1.2"],
      ...
    ]

Cipher and eccs are based off of the work done in OWASP Cipher String Cheat
Sheet
and Mozilla’s Server Side TLS v5.3. This should give you compatibility with almost all modern devices and should lead to an A+ rating in SSL Labs and Immuniweb

Let me know if you have any questions or run into any problems if you use this config for your project.

Most Liked

tomciopp

tomciopp

WARNING

It looks like there are errors if you make a connection using secure websockets. I’m uncertain if this is within phoenix, or erlang but the configuration above shouldn’t have to change for things to work out of the box. I’m going to dig into the errors and will report back in this thread if/when there is news on a fix.

voltone

voltone

I opened an issue on Plug.

tomciopp

tomciopp

I can reopen a pull request to plug, but I’m not sure when it will be merged since we require the use of erlang 23.0.0 or greater. To get this working today you would need to copy/paste the above code.

Where Next?

Popular in Guides/Tuts Top

wfgilman
I’m writing up this quick “How to” because what I thought was going to be an easy implementation of a Plug to validate a webhook request ...
New
redfloyd
Greetings fellow alchemists ! I have started to write an open-source interpreter in Elixir (GitHub - nicolasdilley/dwarf-interpreter: Th...
New
bluegene
Hi guys, I’ve been on a personal journey to learn Elixir for the past two years. During this journey I’ve been using the spaced repetiti...
New
sergio
Wrote this guide on how to integrate DropzoneJS with Phoenix Liveview. Hope it helps someone out! Woah read that title again, what a ...
New
siever
I just wrote a simple guide on how you can setup a productive elixir development environment in vim. Its really easy, just a few steps. ...
New
New
bitli
In case this is handy for other people, here is how you can run Elixir on Android: Install https://termux.com/ apt update; apt upgrade ...
New
dmitriid
This is not a question, but a post for anyone who may need it in the future. Sometimes some browsers may mangle the filename if it’s non-...
New
dkuku
I Created a blog post about setting up svelte with phoenix. I found it a bit tricky and the only blog post I found was written using som...
New
mhanberg
Hi! I recently finished adding authentication to my Phoenix API, so I wanted to share what I learned. I haven’t created authentication f...
New

Other popular topics Top

WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
aesmail
Hello guys, I have finally made it. I created an admin interface for a framework. It’s been on my todo list for years and with the curre...
New
KronicDeth
Elixir plugin for JetBrain’s IntelliJ Platform (including Rubymine) This is a plugin that adds support for Elixir to JetBrains IntelliJ...
289 36432 110
New
boundedvariable
I am going through the kafka architecture. All the features what the kafka is providing are already in Erlang. I would like hear your opi...
New
JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1144 54250 245
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New

We're in Beta

About us Mission Statement