tlsv1.3-only server

[baryluk]

When having just tlsv1.3, yaws fails to start:

    <ssl>
                ...
                protocol_version = tlsv1.3
      <ssl>

And crash:

=ERROR REPORT==== 27-Nov-2021::23:46:22.989082 ===
Yaws: Failed to listen :::19443  : {error,
                                    {options,dependency,
                                     {secure_renegotiate,
                                      {versions,
                                       [tlsv1,'tlsv1.1','tlsv1.2']}}}}

=ERROR REPORT==== 27-Nov-2021::23:46:22.993069 ===
Can't listen to socket: {error,
                            {options,dependency,
                                {secure_renegotiate,
                                    {versions,[tlsv1,'tlsv1.1','tlsv1.2']}}}} 
=SUPERVISOR REPORT==== 27-Nov-2021::23:46:22.993261 ===
    supervisor: {local,yaws_sup}
    errorContext: start_error
    reason: {badbind,[{yaws_server,start_group,2,
                                   [{file,"yaws_server.erl"},{line,255}]},
                      {lists,filtermap,2,[{file,"lists.erl"},{line,1321}]},
                      {yaws_server,init2,5,
                                   [{file,"yaws_server.erl"},{line,239}]},
                      {gen_server,init_it,2,
                                  [{file,"gen_server.erl"},{line,417}]},
                      {gen_server,init_it,6,
                                  [{file,"gen_server.erl"},{line,385}]},
                      {proc_lib,init_p_do_apply,3,
                                [{file,"proc_lib.erl"},{line,226}]}]}
    offender: [{pid,undefined},
               {id,yaws_server},
               {mfargs,
                   {yaws_server,start_link,
                       [{env,false,false,false,false,false,false,"default",
                            latin1}]}},
               {restart_type,permanent},
               {shutdown,120000},
               {child_type,worker}]

Setting secure_renegotiation to true or false does not help.

yaws 2.1.0, Erlang 23.2.6, Debian Linux stable, amd64

BTW:

                protocol_version = tlsv1.3, tlsv1.2

works.

[vinoski]

Yaws unconditionally sets two SSL config options in its ssl record whether or not they're set in yaws.conf:

• secure_renegotiate is set to false by default
• client_renegotiation is set to true by default

Unfortunately these settings are not valid for TLSv1.3, and the crash occurs when Yaws passes them to ssl:listen along with tlsv1.3. Including tlsv1.2 is enough to make them valid, which is why it works when you specify both. Also unfortunately, short of editing yaws.hrl and rebuilding there's currently no way to set them to undefined, which makes ssl:listen happy.

Thanks for reporting this. I'll work on a fix.

[vinoski]

I have a fix but am still working on regression tests. I can post a branch without the tests if you want to try it @baryluk , just let me know.

[baryluk]

I can test it locally. But otherwise no hurry about it.

[vinoski]

OK, thanks, I'll finish the tests and push a branch. I'm curious if my changes will also fix the other related issue you raised.

[vinoski]

@baryluk if and when you get a chance, if you could test your setup with the fix-440 branch, that would be great.

[vinoski]

I've gone ahead and merged this. If there are problems with it that I'm not currently detecting, we can fix them later.