<div dir="ltr">Hi Ingela thanks for troubleshooting this. I ran the openssl server and pointed Chromium at <a href="https://localhost:4433">https://localhost:4433</a>, using the same certs from the Cowboy example.<div><br>
</div><div style>It works, so I don't think the web browser client is the issue.</div><div style><br></div><div style>Here's the long HTML printout by openssl server, when I hit <a href="https://localhost:4433">https://localhost:4433</a> using Chromium:</div>
<div style><br></div><div style><div>s_server -accept 4433 -CAfile cowboy-ca.crt -cert server.crt -key server.key -www </div><div>Ciphers supported in s_server binary</div><div>TLSv1/SSLv3:ECDHE-RSA-AES256-GCM-SHA384TLSv1/SSLv3:ECDHE-ECDSA-AES256-GCM-SHA384</div>
<div>TLSv1/SSLv3:ECDHE-RSA-AES256-SHA384 TLSv1/SSLv3:ECDHE-ECDSA-AES256-SHA384</div><div>TLSv1/SSLv3:ECDHE-RSA-AES256-SHA TLSv1/SSLv3:ECDHE-ECDSA-AES256-SHA </div><div>TLSv1/SSLv3:SRP-DSS-AES-256-CBC-SHA TLSv1/SSLv3:SRP-RSA-AES-256-CBC-SHA </div>
<div>TLSv1/SSLv3:DHE-DSS-AES256-GCM-SHA384TLSv1/SSLv3:DHE-RSA-AES256-GCM-SHA384</div><div>TLSv1/SSLv3:DHE-RSA-AES256-SHA256 TLSv1/SSLv3:DHE-DSS-AES256-SHA256 </div><div>TLSv1/SSLv3:DHE-RSA-AES256-SHA TLSv1/SSLv3:DHE-DSS-AES256-SHA </div>
<div>TLSv1/SSLv3:DHE-RSA-CAMELLIA256-SHA TLSv1/SSLv3:DHE-DSS-CAMELLIA256-SHA </div><div>TLSv1/SSLv3:ECDH-RSA-AES256-GCM-SHA384TLSv1/SSLv3:ECDH-ECDSA-AES256-GCM-SHA384</div><div>TLSv1/SSLv3:ECDH-RSA-AES256-SHA384 TLSv1/SSLv3:ECDH-ECDSA-AES256-SHA384 </div>
<div>TLSv1/SSLv3:ECDH-RSA-AES256-SHA TLSv1/SSLv3:ECDH-ECDSA-AES256-SHA </div><div>TLSv1/SSLv3:AES256-GCM-SHA384 TLSv1/SSLv3:AES256-SHA256 </div><div>TLSv1/SSLv3:AES256-SHA TLSv1/SSLv3:CAMELLIA256-SHA </div>
<div>TLSv1/SSLv3:PSK-AES256-CBC-SHA TLSv1/SSLv3:ECDHE-RSA-DES-CBC3-SHA </div><div>TLSv1/SSLv3:ECDHE-ECDSA-DES-CBC3-SHA TLSv1/SSLv3:SRP-DSS-3DES-EDE-CBC-SHA </div><div>TLSv1/SSLv3:SRP-RSA-3DES-EDE-CBC-SHA TLSv1/SSLv3:EDH-RSA-DES-CBC3-SHA </div>
<div>TLSv1/SSLv3:EDH-DSS-DES-CBC3-SHA TLSv1/SSLv3:ECDH-RSA-DES-CBC3-SHA </div><div>TLSv1/SSLv3:ECDH-ECDSA-DES-CBC3-SHA TLSv1/SSLv3:DES-CBC3-SHA </div><div>TLSv1/SSLv3:PSK-3DES-EDE-CBC-SHA TLSv1/SSLv3:ECDHE-RSA-AES128-GCM-SHA256</div>
<div>TLSv1/SSLv3:ECDHE-ECDSA-AES128-GCM-SHA256TLSv1/SSLv3:ECDHE-RSA-AES128-SHA256 </div><div>TLSv1/SSLv3:ECDHE-ECDSA-AES128-SHA256TLSv1/SSLv3:ECDHE-RSA-AES128-SHA </div><div>TLSv1/SSLv3:ECDHE-ECDSA-AES128-SHA TLSv1/SSLv3:SRP-DSS-AES-128-CBC-SHA </div>
<div>TLSv1/SSLv3:SRP-RSA-AES-128-CBC-SHA TLSv1/SSLv3:DHE-DSS-AES128-GCM-SHA256</div><div>TLSv1/SSLv3:DHE-RSA-AES128-GCM-SHA256TLSv1/SSLv3:DHE-RSA-AES128-SHA256 </div><div>TLSv1/SSLv3:DHE-DSS-AES128-SHA256 TLSv1/SSLv3:DHE-RSA-AES128-SHA </div>
<div>TLSv1/SSLv3:DHE-DSS-AES128-SHA TLSv1/SSLv3:DHE-RSA-SEED-SHA </div><div>TLSv1/SSLv3:DHE-DSS-SEED-SHA TLSv1/SSLv3:DHE-RSA-CAMELLIA128-SHA </div><div>TLSv1/SSLv3:DHE-DSS-CAMELLIA128-SHA TLSv1/SSLv3:ECDH-RSA-AES128-GCM-SHA256</div>
<div>TLSv1/SSLv3:ECDH-ECDSA-AES128-GCM-SHA256TLSv1/SSLv3:ECDH-RSA-AES128-SHA256 </div><div>TLSv1/SSLv3:ECDH-ECDSA-AES128-SHA256 TLSv1/SSLv3:ECDH-RSA-AES128-SHA </div><div>TLSv1/SSLv3:ECDH-ECDSA-AES128-SHA TLSv1/SSLv3:AES128-GCM-SHA256 </div>
<div>TLSv1/SSLv3:AES128-SHA256 TLSv1/SSLv3:AES128-SHA </div><div>TLSv1/SSLv3:SEED-SHA TLSv1/SSLv3:CAMELLIA128-SHA </div><div>TLSv1/SSLv3:PSK-AES128-CBC-SHA TLSv1/SSLv3:ECDHE-RSA-RC4-SHA </div>
<div>TLSv1/SSLv3:ECDHE-ECDSA-RC4-SHA TLSv1/SSLv3:ECDH-RSA-RC4-SHA </div><div>TLSv1/SSLv3:ECDH-ECDSA-RC4-SHA TLSv1/SSLv3:RC4-SHA </div><div>TLSv1/SSLv3:RC4-MD5 TLSv1/SSLv3:PSK-RC4-SHA </div>
<div>TLSv1/SSLv3:EDH-RSA-DES-CBC-SHA TLSv1/SSLv3:EDH-DSS-DES-CBC-SHA </div><div>TLSv1/SSLv3:DES-CBC-SHA TLSv1/SSLv3:EXP-EDH-RSA-DES-CBC-SHA </div><div>TLSv1/SSLv3:EXP-EDH-DSS-DES-CBC-SHA TLSv1/SSLv3:EXP-DES-CBC-SHA </div>
<div>TLSv1/SSLv3:EXP-RC2-CBC-MD5 TLSv1/SSLv3:EXP-RC4-MD5 </div><div>---</div><div>Ciphers common between both SSL end points:</div><div>ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA </div>
<div>DHE-DSS-CAMELLIA256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA </div><div>ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA CAMELLIA256-SHA </div><div>AES256-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-AES128-SHA </div>
<div>ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA </div><div>DHE-DSS-CAMELLIA128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA </div><div>ECDH-RSA-RC4-SHA ECDH-RSA-AES128-SHA ECDH-ECDSA-RC4-SHA </div>
<div>ECDH-ECDSA-AES128-SHA SEED-SHA CAMELLIA128-SHA </div><div>RC4-SHA RC4-MD5 AES128-SHA </div><div>ECDHE-ECDSA-DES-CBC3-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA </div>
<div>EDH-DSS-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA </div><div>DES-CBC3-SHA</div><div>---</div><div>New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA</div><div>SSL-Session:</div><div> Protocol : TLSv1.1</div>
<div> Cipher : ECDHE-RSA-AES256-SHA</div><div> Session-ID: </div><div> Session-ID-ctx: 01000000</div><div> Master-Key: 9D707F79ED6FCF06935AAEC6C52E1E42642B2900EC790BC3BBC602F6DD19619220C3C800E173D75313D83DA6053E6786</div>
<div> Key-Arg : None</div><div> PSK identity: None</div><div> PSK identity hint: None</div><div> SRP username: None</div><div> Start Time: 1372085057</div><div> Timeout : 300 (sec)</div><div> Verify return code: 0 (ok)</div>
<div>---</div><div> 0 items in the session cache</div><div> 0 client connects (SSL_connect())</div><div> 0 client renegotiates (SSL_connect())</div><div> 0 client connects that finished</div><div> 1 server accepts (SSL_accept())</div>
<div> 0 server renegotiates (SSL_accept())</div><div> 1 server accepts that finished</div><div> 0 session cache hits</div><div> 1 session cache misses</div><div> 0 session cache timeouts</div><div> 0 callback cache hits</div>
<div> 0 cache full overflows (128 allowed)</div><div>---</div><div>no client certificate available</div><div><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jun 24, 2013 at 8:35 AM, Ingela Andin <span dir="ltr"><<a href="mailto:ingela.andin@gmail.com" target="_blank">ingela.andin@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi again,<br><div><div class="gmail_extra"><br><div class="gmail_quote"><div class="im">2013/6/23 Andrew Shu <span dir="ltr"><<a href="mailto:talklittle@gmail.com" target="_blank">talklittle@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>THANK YOU for posting this! This being my first time using Cowboy HTTPS and secure websockets, I was going crazy trying to figure out why SSL wasn't working via Chromium on Linux, while curl seemed to handle the self-signed certificates okay. It wouldn't have occurred to me that it could be an Erlang bug.</div>
<div><br></div><div>After reverting to R16B, and removing all traces of R16B01, everything seems working.</div><div>I wasted a lot of time swapping out SSL certificates to no avail. I think sticking with R16B is the best, or only, solution for now.<br>
</div><div><br></div><div>I had been getting a Chromium gray error screen with "ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED". Not the usual "this certificate is not trusted" red screen.</div><div>Firefox choked too. Curl seemed ok, strangely enough.</div>
<div><br></div></blockquote><div><br></div></div><div>Ok just make sure I run an openssl client against the erlang server too, with the cowboy example (as you<br></div><div>try to connect to an erlang-server with other clients). This works too. So it seems openssl and curl can connect to the erlang-server but not chrom and firefox? And the connection fails due to that the client sends and alert. So atleas this problem seems not to be related to ECDSA certificates. (The missed TODO) .<br>
</div><br></div><div class="gmail_quote">The other clients could also have issues with ecc-cipher suites, you could try to setting up an openssl server using <br><br></div>openssl s_server -accept 4433 -CAfile ca.crt -cert server.crt -key server.key<br>
<br></div><div class="gmail_extra">and trying the clients to see if they can connect with ecc-ciphers.<br><br></div><div class="gmail_extra">The following command must return elliptic curve ciper cuites ECDH* ECDSA* <br>
</div><div class="gmail_extra"><br></div><div class="gmail_extra">> openssl ciphers <br><br><br></div><div class="im"><div class="gmail_extra">Regards Ingela Erlang/OTP team - Ericsson AB<br></div><div class="gmail_extra">
<br></div></div></div>
</div>
</blockquote></div><br></div>