Thank you! I checked the list and sure enough one of the eccs options was missing in my env. However, since I was testing this in a Desktop environment, I then checked it against the list running on the embedded device and the ciphers and supports were all there.
Unfortunately, although TLS1.3 does appear to work when it’s initiated from the Browser (I also verified network traffic for TLS1.3 handshaking), I’m getting a very strange error when I try to set TLS1.3 as the minimum or main security level.
Start Call: :ranch_conns_sup_sup.start_link(MyEndpoint.HTTPS, :ranch_ssl, :cowboy_tls, :logger)
Restart: :permanent
Shutdown: :infinity
Type: :supervisor
18:53:23.613: [error] iex : Failed to start Ranch listener MyEndpoint.HTTPS in :ranch_ssl:listen(%{max_connections: 16384, num_acceptors: 12, socket_opts: [cacerts: :..., key: :..., cert: :..., alpn_preferred_protocols: ["h2", "http/1.1"], next_protocols_advertised: ["h2", "http/1.1"], reuse_sessions: true, secure_renegotiate: true, certfile: '/ssl/self_signed_ssl_cert.pem', keyfile: '/ssl/self_signed_ssl_key.pem', port: 443, ciphers: [{:any, :aes_256_gcm, :aead, :sha384}, {:any, :aes_128_gcm, :aead, :sha256}, {:any, :chacha20_poly1305, :aead, :sha256}, {:any, :aes_128_ccm, :aead, :sha256}, {:any, :aes_128_ccm_8, :aead, :sha256}, {:ecdhe_ecdsa, :aes_256_gcm, :aead, :sha384}, {:ecdhe_rsa, :aes_256_gcm, :aead, :sha384}, {:ecdhe_ecdsa, :aes_256_cbc, :sha384, :sha384}, {:ecdhe_rsa, :aes_256_cbc, :sha384, :sha384}, {:ecdh_ecdsa, :aes_256_gcm, :aead, :sha384}, {:ecdh_rsa, :aes_256_gcm, :aead, :sha384}, {:ecdh_ecdsa, :aes_256_cbc, :sha384, :sha384}, {:ecdh_rsa, :aes_256_cbc, :sha384, :sha384}, {:dhe_rsa, :aes_256_gcm, :aead, :sha384}, {:dhe_dss, :aes_256_gcm, :aead, :sha384}, {:dhe_rsa, :aes_256_cbc, :sha256}, {:dhe_dss, :aes_256_cbc, :sha256}, {:ecdhe_ecdsa, :aes_128_gcm, :aead, :sha256}, {:ecdhe_rsa, :aes_128_gcm, :aead, :sha256}, {:ecdhe_ecdsa, :chacha20_poly1305, :aead, :sha256}, {:ecdhe_rsa, :chacha20_poly1305, :aead, :sha256}, {:ecdhe_ecdsa, :aes_128_cbc, :sha256, :sha256}, {:ecdhe_rsa, :aes_128_cbc, :sha256, :sha256}, {:ecdh_ecdsa, :aes_128_gcm, :aead, :sha256}, {:ecdh_rsa, :aes_128_gcm, :aead, :sha256}, {:ecdh_ecdsa, :aes_128_cbc, :sha256, :sha256}, {:ecdh_rsa, :aes_128_cbc, :sha256, :sha256}, {:dhe_rsa, :aes_128_gcm, :aead, :sha256}, {:dhe_dss, :aes_128_gcm, :aead, :sha256}, {:dhe_rsa, :chacha20_poly1305, :aead, :sha256}, {:dhe_rsa, :aes_128_cbc, :sha256}, {:dhe_dss, :aes_128_cbc, :sha256}, {:ecdhe_ecdsa, :aes_256_cbc, :sha}, {:ecdhe_rsa, :aes_256_cbc, ...}, {:dhe_rsa, ...}, {...}, ...], versions: [:"tlsv1.3"], ip: {0, 0, 0, 0, 0, 0, 0, 0}, honor_cipher_order: true]}) for reason {:options, :dependency, {:secure_renegotiate, {:versions, [:tlsv1, :"tlsv1.1", :"tlsv1.2"]}}} (unknown POSIX error)
18:53:23.616: [error] supervisor.start_children/2 : Child :ranch_acceptors_sup of Supervisor #PID<0.19763.0> (:ranch_listener_sup) failed to start
** (exit) {:listen_error, MyEndpoint.HTTPS, **{:options, :dependency, {:secure_renegotiate, {:versions, [:tlsv1, :"tlsv1.1", :"tlsv1.2"]}}}}**
Start Call: :ranch_acceptors_sup.start_link(MyEndpoint.HTTPS, :ranch_ssl, :logger)
Restart: :permanent
Shutdown: :infinity
Type: :supervisor
18:53:23.633: [error] proc_lib.crash_report/4 : Process #PID<0.19777.0> terminating
** (exit) {:listen_error, MyEndpoint.HTTPS, {:options, :dependency, {:secure_renegotiate, {:versions, [:tlsv1, :"tlsv1.1", :"tlsv1.2"]}}}}
(ranch 2.0.0) /workdir/firmware/deps/lces2/ranch/src/ranch_acceptors_sup.erl:95: :ranch_acceptors_sup.listen_error/5
(ranch 2.0.0) /workdir/firmware/deps/lces2/ranch/src/ranch_acceptors_sup.erl:54: :ranch_acceptors_sup.start_listen_sockets/5
(ranch 2.0.0) /workdir/firmware/deps/lces2/ranch/src/ranch_acceptors_sup.erl:34: :ranch_acceptors_sup.init/1
(stdlib 3.13) supervisor.erl:301: :supervisor.init/1
(stdlib 3.13) gen_server.erl:417: :gen_server.init_it/2
(stdlib 3.13) gen_server.erl:385: :gen_server.init_it/6
(stdlib 3.13) proc_lib.erl:226: :proc_lib.init_p_do_apply/3
Initial Call: :ranch_acceptors_sup.init/1
I updated ranch to 2.0 with a minor change to make it work with plug_cowboy 2.8. However, I still get that error. I get the feeling it’s looking to support only [:tlsv1, :“tlsv1.1”, :“tlsv1.2”] but I’m not sure where it’s getting that list from, as the underlying ssl lib seems to have tlsv1.3 support.