tomciopp
Using TLS 1.3 with Phoenix
TLS 1.3 has been out for a little over a year now, but it has been unavailable in Phoenix due to erlang’s handling of ssl. With the most recent version of erlang released (22.2.3) these issues should now be solved. I’ve spent a bit of time going down the rabbit hole of getting our servers to run the protocol so our end users can get better performance and security. If you’d like to upgrade follow the directions below and let me know in the comments if you run into any issues.
YOU MUST BE RUNNING ERLANG 22.2.3 OR THIS WILL NOT WORK
Within your endpoint configuration copy/paste the following code within the :https keyword
https: [
...
honor_cipher_order: true,
ciphers: [
'TLS_AES_128_GCM_SHA256',
'TLS_AES_256_GCM_SHA384',
'TLS_CHACHA20_POLY1305_SHA256',
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-CHACHA20-POLY1305',
'ECDHE-RSA-CHACHA20-POLY1305',
'DHE-RSA-AES128-GCM-SHA256',
'DHE-RSA-AES256-GCM-SHA384'
],
eccs: [
:x25519,
:secp256r1,
:secp384r1
],
secure_renegotiate: true,
reuse_sessions: true,
versions: [:"tlsv1.3", :"tlsv1.2"],
...
]
Cipher and eccs are based off of the work done in OWASP Cipher String Cheat
Sheet and Mozilla’s Server Side TLS v5.3. This should give you compatibility with almost all modern devices and should lead to an A+ rating in SSL Labs and Immuniweb
Let me know if you have any questions or run into any problems if you use this config for your project.
Most Liked
tomciopp
WARNING
It looks like there are errors if you make a connection using secure websockets. I’m uncertain if this is within phoenix, or erlang but the configuration above shouldn’t have to change for things to work out of the box. I’m going to dig into the errors and will report back in this thread if/when there is news on a fix.
tomciopp
I can reopen a pull request to plug, but I’m not sure when it will be merged since we require the use of erlang 23.0.0 or greater. To get this working today you would need to copy/paste the above code.
Popular in Guides/Tuts
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









