Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional SSL options are being discarded ... #105

Open
CharlesOkwuagwu opened this issue Feb 10, 2021 · 1 comment
Open

Additional SSL options are being discarded ... #105

CharlesOkwuagwu opened this issue Feb 10, 2021 · 1 comment

Comments

@CharlesOkwuagwu
Copy link

CharlesOkwuagwu commented Feb 10, 2021
edited
Loading

There are several optional setting that could be passed along to the underlying erlang ssl system:

https://elixirforum.com/t/making-ssl-tests-all-pass-for-phoenix-lets-encrypt/3507/15

https: [
    port: System.get_env("APP_HTTPS_PORT") || "${APP_HTTPS_PORT}",
    keyfile: System.get_env("APP_SSL_KEY_PATH") || "${APP_SSL_KEY_PATH}",
    certfile: System.get_env("APP_SSL_CERT_PATH") || "${APP_SSL_CERT_PATH}",
    cacertfile: System.get_env("APP_SSL_INTERMEDIATE_CERT_PATH") || "${APP_SSL_INTERMEDIATE_CERT_PATH}",
    dhfile: System.get_env("APP_SSL_DHPARAMS_PATH") || "${APP_SSL_DHPARAMS_PATH}",
    versions: [:'tlsv1.2'],
    ciphers: ~w(
      ECDHE-ECDSA-AES128-GCM-SHA256
      ECDHE-ECDSA-AES256-GCM-SHA384
      ECDHE-ECDSA-AES128-SHA
      ECDHE-ECDSA-AES256-SHA
      ECDHE-ECDSA-AES128-SHA256
      ECDHE-ECDSA-AES256-SHA384
      ECDHE-RSA-AES128-GCM-SHA256
      ECDHE-RSA-AES256-GCM-SHA384
      ECDHE-RSA-AES128-SHA
      ECDHE-RSA-AES256-SHA
      ECDHE-RSA-AES128-SHA256
      ECDHE-RSA-AES256-SHA384
      DHE-RSA-AES128-GCM-SHA256
      DHE-RSA-AES256-GCM-SHA384
      DHE-RSA-AES128-SHA
      DHE-RSA-AES256-SHA
      DHE-RSA-AES128-SHA256
      DHE-RSA-AES256-SHA256
    )c,
    secure_renegotiate: true,
    client_renegotiation: false,
    reuse_sessions: true,
    honor_cipher_order: true,
    max_connections: :infinity
  ],

Elli discards the rest of the Optsand only keeps two:

elli/src/elli.erl

Lines 135 to 137 in d22bc09

SSLSockOpts = ?IF(UseSSL,
[{keyfile, KeyFile}, {certfile, CertFile}],
[]),

I suggest we pass through all additional params set by the user.

This PR attempts to fix: #106

Regards.
@yurrriq
Copy link
Member

yurrriq commented Feb 10, 2021

Thanks for the report, and the PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CharlesOkwuagwu @yurrriq