search

sneako / finch

Elixir HTTP client, focused on performance
MIT License
1.26k stars 118 forks source link

Connection close with TLSv1.3 after updating to Elixir 1.16 and OTP 26 #269

Closed isavita closed 6 months ago

isavita commented 6 months ago

We are experiencing an issue related to SSL and receiving a connection closed when using TLSv1.3. We are upgrading our application from erlang 24.3.4.8 with elixir 1.14.3 to erlang 26.2.2 with elixir 1.16.1. On our older version the service responds fine. When using TLSv1.2 on the newer upgrade that is also fine. It only seems to be a problem with TLSv1.3.

We are using the below which shows the connection close response. We receive this for every request to the service. Other services which also use certificates are fine. This particular service was fine with connecting to it before the upgrade. It also fine with TLSv1.2 with our upgrade.

{:ok, p} = Finch.start_link(name: MyFinch, pools: %{default: [conn_opts: [transport_opts: [{:verify, :verify_peer}, {:cacertfile, "/path/to/ca.crt"}, {:certfile, "/path/to/cert.crt"}, {:keyfile, "/path/to/key.key"}, {:keep_secrets, true}, {:versions, [:"tlsv1.3"]}, {:log_level, :debug}], ssl_key_log_file: "/var/log/ssl.log"]]})

Finch.build(:get, "https://some-service.com", [], nil) |> Finch.request(MyFinch)
{:error, %Mint.TransportError{reason: :closed}}

When enabling low level logs, we can see a second handshake which has an empty certificate list.

>>> Handshake, Certificate
[{certificate_request_context,<<>>},{certificate_list,[]}]

We had a handshake before this which had certificates. The older version has certificates for both of the handshakes.

<<< Handshake, Certificate
[{certificate_request_context,<<>>},
  {certificate_list,
    [{certificate_entry,
      <<...

We have spent a lot of time considering the service and certificates but we do not have any feedback this is the problem. It was also fine before our upgrade using TLSv1.3 so very puzzling for us. Any help on how we can debug or solve this is much appreciated.

sneako commented 6 months ago

Interesting! This doesn't sound like something that would be happening in Finch itself to me, it seems more like something that would be happening in the erlang ssl module as I see Eric hinted at on the Mint issue. If you find that you can open this connection with both :ssl and Mint separately, just not through Finch, then I will be happy to reopen this issue.