Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add proper HTTP/2 TLS configuration by default in cowboy:start_tls #1332

Open
casillic opened this issue Nov 1, 2018 · 4 comments
Open

Add proper HTTP/2 TLS configuration by default in cowboy:start_tls #1332

casillic opened this issue Nov 1, 2018 · 4 comments

Comments

@casillic
Copy link

casillic commented Nov 1, 2018

I'm trying to avoid the ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY in Chrome so having to provide ciphers information. I'm sure I'm probably doing something wrong so apologies in advance. When I try to use {ecdhe_rsa,aes_128_gcm,aead,sha256} in the ciphers list I get the following error

=INFO REPORT==== 1-Nov-2018::08:43:37.140023 ===
TLS server: In state cipher at ssl_connection.erl:1148 generated SERVER ALERT: Fatal - Unexpected Message - {unexpected_msg,{alert,2,20,
                       {"ssl_cipher.erl",289},
                       undefined,decryption_failed}}

I have tried all kind of different ciphers and still can't get it to work. I've avoided the blacklisted ones too.
I understand this may not be a Cowboy issue but not sure.
It appears erlang ssl is now using maps for cipher_suites but can convert to tuple via ssl_cipher_format:erl_suite_definition/1 (Seems to be some mismatch is possible here)
Also asked question on stackoverflow here:

https://stackoverflow.com/questions/53086676/cowboy-webserver-using-http2-and-tls-getting-err-spdy-inadequate-transport-secur

What ciphers are recommended for using with HTTP2 specifically for Chrome with Cowboy how specifically should they be entered (tuples / strings / maps)?
Thanks!
@essen
Copy link
Member

essen commented Nov 1, 2018

It's something that Cowboy should do by default but I didn't get around to it yet, so I have not really learned how to configure it properly for browsers.

That message sounds like a recent bug in ssl though, are you on the latest patch release?

@casillic
Copy link
Author

casillic commented Nov 1, 2018

Yeah, I've updated to the latest of everything openSSL, Erlang/OTP even went to Cowboy 2.5
Is there a way to turn off HTTP/2 in cowboy? It works fine in Firefox if I force HTTP/2 off. We apparently can't not do that in Chrome anymore. It would be a temporary fix until this is figured out / resolved. Thanks again!

@essen
Copy link
Member

essen commented Nov 1, 2018
edited
Loading

You'll need to call ranch:start_listener/5 directly and not provide the ALPN options.

@essen essen changed the title HTTP/2 Cipher Error? Add proper HTTP/2 TLS configuration by default in cowboy:start_tls Oct 3, 2019
@essen
Copy link
Member

essen commented Oct 7, 2019

One problem with providing this configuration by default is that it ties the Cowboy version to a specific security level, and would require updating Cowboy to account for security recommendation changes like new ciphers, new banned ciphers and so on.

I think a better idea would either to just document the procedure #1090 because it can be done in a time independent manner (you document how to find out which ciphers you should enable/disable, not them directly), or provide a small library which can be used and updated independently, similar to what certifi is doing for HTTP clients.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@essen @casillic