[erlang-questions] Different SSL behaviours, how to pick ciphers?
André Cruz
andre@REDACTED
Wed Jul 13 19:08:12 CEST 2016
On 13 Jul 2016, at 17:02, Fred Hebert <mononcqc@REDACTED> wrote:
>
> On 07/13, André Cruz wrote:
>>
>> It's strange to change this default in a minor version upgrade. Is this something that can be configured? I've found that some SSL servers drop the connection immediately when SSL records are used.
>>
>
> The `versions' tuple should specify the versions in order if you have them configured for your socket. The `honor_cipher_order` thing lets the server force the order you gave as the order to honor for ciphers.
The problem was that since Erlang 18.3.2 the "signature_algorithms" extension is only sent if the supported ssl versions is just 'tlsv1.2'. Since the default is tls 1 though 1.2, this extension is not sent and some servers require it. It's strange that I'm the only one with this problem...
Anyway, the solution in this case was to specify {versions, ['tlsv1.2']}, but if you need to support other tls versions you may need to manually fill the "signature_algs" option.
Best regards,
André Cruz
More information about the erlang-questions
mailing list