Hi,
We recently ran into a case upon upgrading to OTP R25 where we were unable to establish TLS connectivity to certain addresses. Eventually we tracked the issue down to a proxy/middle-box that objected to some of the newer ciphers in the client hello message. I would imagine that we are not the first people to run into this problem.
I am aware you can specify the acceptable ciphers as options in the ssl:connect function, but that is often difficult when a third-party library is in the way.
My proposal is that the developer should be allowed to select the ciphers we wish to support:
- On start-up via an application argument that specifies a filename of permitted ciphers, for example:
-ssl allowed_ciphers_filename "priv/ciphers.dat" - Programmatically:
ssl:allowed_ciphers/1where the argument can be a filename or a list of ciphers. - The ciphers can be specified as a string or openssl string format.
- The developer should be permitted to override the global allowed ciphers by specifying alternative ciphers via the
ssl:connectoptions.
Thanks