Cowboy 2.9.0 with Ranch 1.8.0 fails when use TLS 1.3 #1579

shapovalovts · 2022-08-19T14:20:29Z

I use Cowboy 2.9.0, which pulls Ranch 1.8.0. I tried to move recently from TLS 1.2 to 1.3 and the code fails here:

** {{case_clause,
     {error,
      {shutdown,
       {failed_to_start_child,wm_http,
        {{badmatch,
          {error,
           {{shutdown,
             {failed_to_start_child,ranch_acceptors_sup,
              {listen_error,https,
               {options,dependency,
                {next_protocols_advertised,
                 {versions,[tlsv1,'tlsv1.1','tlsv1.2']}}}}}},
            {child,undefined,
             {ranch_listener_sup,https},
             {ranch_listener_sup,start_link,
              [https,ranch_ssl,
               #{connection_type => supervisor,
                 socket_opts =>
                  [{next_protocols_advertised,[<<"h2">>,<<"http/1.1">>]},
                   {alpn_preferred_protocols,[<<"h2">>,<<"http/1.1">>]},
                   {port,8443},
                   {depth,99},
                   {verify,verify_peer},
                   {versions,['tlsv1.3']},
                   {fail_if_no_peer_cert,true},
                   {partial_chain,#Fun<wm_http.1.66849891>},
                   {cacertfile,"/opt/swm/spool/secure/cluster/cert.pem"},
                   {certfile,"/opt/swm/spool/secure/node/cert.pem"},
                   {keyfile,"/opt/swm/spool/secure/node/key.pem"}]},
               cowboy_tls,
               #{connection_type => supervisor,
                 env => #{dispatch => [{'_',[],[{[],[],wm_http_top,[]}]}]},
                 onresponse => #Fun<wm_http.2.66849891>}]},
             permanent,false,infinity,supervisor,
             [ranch_listener_sup]}}}},

Maybe I miss something, but it just works perfectly with TLS 1.2. The way I start Cowboy process:

      {ok, Result} =                                                                                                                      
          cowboy:start_tls(https,                                                                                                         
                           [{port, Port},                                                                                                 
                            {depth, 99},                                                                                                  
                            {verify, verify_peer},                                                                                        
                            {versions, ['tlsv1.3']},                              
                            {fail_if_no_peer_cert, true},                                                                                 
                            {partial_chain, PartChain},                                                                                   
                            {cacertfile, CaFile},                                                                                             
                            {certfile, CertFile},                                                                                             
                            {keyfile, KeyFile}],                                                                                              
                           #{env => #{dispatch => Dispatch}, onresponse => fun error_hook/4}),

The text was updated successfully, but these errors were encountered:

essen · 2022-08-20T07:58:41Z

That's because the option next_protocols_advertised does not work with TLS 1.3, it was replaced with ALPN. So Cowboy needs to filter it out if the version configured is only TLS 1.3.

For the time being you can take this function add it to your code and remove the NPN line and it should work: https://github.com/ninenines/cowboy/blob/master/src/cowboy.erl#L53-L62

I will do a maintenance release sometimes in September, when I get back from holidays.

shapovalovts · 2022-08-21T08:53:49Z

Thank you! As a workaround I temporally added tlsv1.2 to the versions parameter and will wait for your maintenance release. But I am curios what line is NPN line there? Is it {next_protocols_advertised, [<<"h2">>, <<"http/1.1">>]},?

essen · 2022-08-21T12:46:12Z

Yes this is the option for the NPN extension.

essen · 2023-11-23T12:12:14Z

I will remove the old NPN option entirely in the next release.

JeppeTh · 2023-12-07T10:55:40Z

Same issue exists also for client_preferred_next_protocols in Gun unless you already realized that.

essen · 2023-12-07T11:50:12Z

Please open a ticket in Gun.

essen · 2023-12-19T11:20:28Z

The option was removed in the merged PR. Gun will see the same treatment later on. Closing, thanks!

essen added this to the 2.11 milestone Nov 23, 2023

zuiderkwast mentioned this issue Dec 18, 2023

Support allowing TLS 1.3 only #1621

Closed

essen closed this as completed Dec 19, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cowboy 2.9.0 with Ranch 1.8.0 fails when use TLS 1.3 #1579

Cowboy 2.9.0 with Ranch 1.8.0 fails when use TLS 1.3 #1579

shapovalovts commented Aug 19, 2022

essen commented Aug 20, 2022

shapovalovts commented Aug 21, 2022

essen commented Aug 21, 2022

essen commented Nov 23, 2023

JeppeTh commented Dec 7, 2023

essen commented Dec 7, 2023

essen commented Dec 19, 2023

Cowboy 2.9.0 with Ranch 1.8.0 fails when use TLS 1.3 #1579

Cowboy 2.9.0 with Ranch 1.8.0 fails when use TLS 1.3 #1579

Comments

shapovalovts commented Aug 19, 2022

essen commented Aug 20, 2022

shapovalovts commented Aug 21, 2022

essen commented Aug 21, 2022

essen commented Nov 23, 2023

JeppeTh commented Dec 7, 2023

essen commented Dec 7, 2023

essen commented Dec 19, 2023