Cowboy Webserver using HTTP2 and TLS getting ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY in Chrome - McMap

About

Cowboy Webserver using HTTP2 and TLS getting ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY in Chrome

Asked 31/10, 2018 at 15:14 Answered 31/10, 2018 at 17:26

ssl erlang http2 cowboy ranch

G

1

1

I'm using: Erlang OTP 21 and Cowboy 2.4 Code:

cowboy:start_tls( 
                  my_listener,
                  [
                      {port, Web_Server_Port},
                      {certfile, Cert_File},
                      {keyfile, Key_File}
                  ],
                  #{env => #{dispatch => dispatcher()}}
                )

I'm using this to start the web server, which work fine on HTTP1.1,but now Chrome is using HTTP2 and that can't be disabled. So now I'm receiving:

ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

I also experience a similar problem Firefox with HTTP2 enable:

Error code: NS_ERROR_NET_INADEQUATE_SECURITY

but on Firefox I can disable HTTP2. It work fine when HTTP2 is disabled. I have verified my certificate is good and I get the green lock under HTTP1.1 I have read that HTTP2 is stricter with the ciphers that are used and the order they appear.

Fixing ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY SSL error in Chrome https://www.jeffgeerling.com/blog/2016/fixing-errspdyinadequatetransportsecurity-ssl-error-chrome But not sure if that is the problem.

I'm not sure of what ciphers to use also not exactly sure how to indicate their use in cowboy. I have tried adding a cipher option in the options, but this doesn't correct the problem:

{ciphers, [
        {ecdhe_ecdsa,aes_256_cbc,sha384,sha384},
         {ecdhe_rsa,aes_256_cbc,sha384,sha384}, 
         {ecdh_ecdsa,aes_256_cbc,sha384,sha384},
         {ecdh_rsa,aes_256_cbc,sha384,sha384},
         {dhe_rsa,aes_256_cbc,sha256},
         {dhe_dss,aes_256_cbc,sha256},
         {ecdhe_ecdsa,aes_256_cbc,sha},
         {ecdhe_rsa,aes_256_cbc,sha},
         {dhe_rsa,aes_256_cbc,sha},
         {dhe_dss,aes_256_cbc,sha},
         {ecdh_ecdsa,aes_256_cbc,sha},
         {ecdh_rsa,aes_256_cbc,sha},
         {ecdhe_rsa,aes_128_cbc,sha},
         {dhe_rsa,aes_128_cbc,sha},
         {dhe_dss,aes_128_cbc,sha},
         {ecdh_ecdsa,aes_128_cbc,sha},
         {ecdh_rsa,aes_128_cbc,sha}
    ]}

Any suggestions on what I'm doing wrong here?

Godly answered 31/10, 2018 at 15:14 Comment(0)

E

2

HTTP/2 forbids the use of old ciphers including all the CBC ciphers you have listed.

Enable some GCM ciphers like this, which should be accepted by most browsers:

{ciphers, ["ECDHE-RSA-AES256-GCM-SHA384"]}

Though by default it should allow these.

See here for more information: http://ezgr.net/increasing-security-erlang-ssl-cowboy/

Eberhardt answered 31/10, 2018 at 17:26 Comment(8)

I tried adding that exact cipher string and I get this error message in console: – Godly 31/10, 2018 at 18:31

=INFO REPORT==== 31-Oct-2018::14:29:41.874434 === TLS server: In state cipher at ssl_connection.erl:1215 generated SERVER ALERT: Fatal - Unexpected Message - {unexpected_msg,{alert,2,20, {"ssl_cipher.erl",308}, undefined,decryption_failed}} – Godly 31/10, 2018 at 18:31

Which version of OpenSSL are you using? – Eberhardt 31/10, 2018 at 19:51

It was an older version I updated to OpenSSL 1.0.2p 14 Aug 2018 and still same error message. It's appears they are converting the cipher_suites to maps e.g. #{cipher => aes_256_gcm,key_exchange => ecdhe_rsa,mac => aead,prf => sha384} and there is a function to convert to string e.g. ssl:suite_to_str(#{cipher => aes_256_gcm,key_exchange => ecdhe_rsa,mac => aead,prf => sha384}). which results in "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" but that is not accepted either... thoughts?? – Godly 31/10, 2018 at 20:41

What about removing the ciphers config now you’ve updated OpenSSL? Though are you sure Erlang/Cowboy is using that updated config? Also have you tried the Cowboy config in the last link I gave in my answer? – Eberhardt 31/10, 2018 at 20:44

I tried removing the cipher list now. Back to original problem. I've also tried to use the cowboy config from the article you provided. That results in =INFO REPORT==== 31-Oct-2018::16:47:29.290835 === TLS server: In state cipher at ssl_connection.erl:1215 generated SERVER ALERT: Fatal - Unexpected Message - {unexpected_msg,{alert,2,20, {"ssl_cipher.erl",308}, undefined,decryption_failed}} – Godly 31/10, 2018 at 21:0

Sounds to me like Erlang/Cowboy is not using the updated OpenSSL you have installed. What version was it initially? – Eberhardt 31/10, 2018 at 21:2

It was originally this version: LibreSSL 2.6.4 built on: date not available platform: information not available options: bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) blowfish(idx) compiler: information not available OPENSSLDIR: "/private/etc/ssl" – Godly 31/10, 2018 at 21:5

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.