Open casillic opened 5 years ago
It's something that Cowboy should do by default but I didn't get around to it yet, so I have not really learned how to configure it properly for browsers.
That message sounds like a recent bug in ssl though, are you on the latest patch release?
Yeah, I've updated to the latest of everything openSSL, Erlang/OTP even went to Cowboy 2.5 Is there a way to turn off HTTP/2 in cowboy? It works fine in Firefox if I force HTTP/2 off. We apparently can't not do that in Chrome anymore. It would be a temporary fix until this is figured out / resolved. Thanks again!
You'll need to call ranch:start_listener/5
directly and not provide the ALPN options.
One problem with providing this configuration by default is that it ties the Cowboy version to a specific security level, and would require updating Cowboy to account for security recommendation changes like new ciphers, new banned ciphers and so on.
I think a better idea would either to just document the procedure https://github.com/ninenines/cowboy/issues/1090 because it can be done in a time independent manner (you document how to find out which ciphers you should enable/disable, not them directly), or provide a small library which can be used and updated independently, similar to what certifi
is doing for HTTP clients.
I'm trying to avoid the
ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY
in Chrome so having to provide ciphers information. I'm sure I'm probably doing something wrong so apologies in advance. When I try to use{ecdhe_rsa,aes_128_gcm,aead,sha256}
in the ciphers list I get the following errorI have tried all kind of different ciphers and still can't get it to work. I've avoided the blacklisted ones too. I understand this may not be a Cowboy issue but not sure. It appears erlang ssl is now using maps for cipher_suites but can convert to tuple via ssl_cipher_format:erl_suite_definition/1 (Seems to be some mismatch is possible here) Also asked question on stackoverflow here:
https://stackoverflow.com/questions/53086676/cowboy-webserver-using-http2-and-tls-getting-err-spdy-inadequate-transport-secur
What ciphers are recommended for using with HTTP2 specifically for Chrome with Cowboy how specifically should they be entered (tuples / strings / maps)? Thanks!