Add proper HTTP/2 TLS configuration by default in cowboy:start_tls

[casillic]

I'm trying to avoid the ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY in Chrome so having to provide ciphers information. I'm sure I'm probably doing something wrong so apologies in advance. When I try to use {ecdhe_rsa,aes_128_gcm,aead,sha256} in the ciphers list I get the following error

=INFO REPORT==== 1-Nov-2018::08:43:37.140023 ===
TLS server: In state cipher at ssl_connection.erl:1148 generated SERVER ALERT: Fatal - Unexpected Message - {unexpected_msg,{alert,2,20,
                       {"ssl_cipher.erl",289},
                       undefined,decryption_failed}}

I have tried all kind of different ciphers and still can't get it to work. I've avoided the blacklisted ones too. I understand this may not be a Cowboy issue but not sure. It appears erlang ssl is now using maps for cipher_suites but can convert to tuple via ssl_cipher_format:erl_suite_definition/1 (Seems to be some mismatch is possible here) Also asked question on stackoverflow here:

https://stackoverflow.com/questions/53086676/cowboy-webserver-using-http2-and-tls-getting-err-spdy-inadequate-transport-secur

What ciphers are recommended for using with HTTP2 specifically for Chrome with Cowboy how specifically should they be entered (tuples / strings / maps)? Thanks!

[essen]

It's something that Cowboy should do by default but I didn't get around to it yet, so I have not really learned how to configure it properly for browsers.

That message sounds like a recent bug in ssl though, are you on the latest patch release?

[casillic]

Yeah, I've updated to the latest of everything openSSL, Erlang/OTP even went to Cowboy 2.5 Is there a way to turn off HTTP/2 in cowboy? It works fine in Firefox if I force HTTP/2 off. We apparently can't not do that in Chrome anymore. It would be a temporary fix until this is figured out / resolved. Thanks again!

[essen]

You'll need to call ranch:start_listener/5 directly and not provide the ALPN options.

[essen]

One problem with providing this configuration by default is that it ties the Cowboy version to a specific security level, and would require updating Cowboy to account for security recommendation changes like new ciphers, new banned ciphers and so on.

I think a better idea would either to just document the procedure https://github.com/ninenines/cowboy/issues/1090 because it can be done in a time independent manner (you document how to find out which ciphers you should enable/disable, not them directly), or provide a small library which can be used and updated independently, similar to what certifi is doing for HTTP clients.