[erlang-questions] Different SSL behaviours, how to pick ciphers?

[Fred Hebert]

On 07/12, André Cruz wrote:
>As can be seen I cannot establish a connection using the container 
>version of Erlang. Looking at the traffic I can see that the 
>ClientHello message specifies SSLv3 ciphers, while the version that 
>works uses TLS1.2. How can I influence this choice of ciphers? Is it a 
>problem with the openssl lib in the container image?
>

You should at the very least have some basic configuration of SSL in 
Erlang -- the one that ships stock isn't particularly great.

Say for example:

[
  {ciphers, Ciphers},
  {honor_cipher_order, true},
  {secure_renegotiate, true},
  {client_renegotiation, false},
  {versions, ['tlsv1.2', 'tlsv1.1', 'tlsv1']}
]

Where `Ciphers' is a list based on either the tools at 
https://wiki.mozilla.org/Security/Server_Side_TLS or 
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html 
so you avoid ciphersuites deemed unsafe or which could give you 
compatibility issues (with say HTTP/2, which has its own blacklist of 
certificates)

As a client -- and possibly as a server -- you'll also want to validate 
SSL certificates.  To do so, you can use `certifi' to provide a decent 
set of root CAs (https://github.com/certifi/erlang-certifi) and 
`ssl_verify_fun' (https://hex.pm/packages/ssl_verify_fun) to do the 
actual validation:

[
  {verify, verify_peer},
  {depth, 2},
  {cacerts, certifi:cacerts()},
  {server_name_indication, Hostname},
  {verify_fun, {fun ssl_verify_hostname:verify_fun/3,
                [{check_hostname, Hostname}]}
]

With these options, certificate validation can take place.

In case you want to do certificate pinning (validating that the request 
comes or goes to a known certificate -- more useful if you're working 
with self-signed stuff), I've so far used `Tak' 
(https://github.com/heroku/tak) to generate the SSL configuration 
required.

Regards,
Fred.