Ability to select allowed SSL ciphers for all sessions on start-up


We recently ran into a case upon upgrading to OTP R25 where we were unable to establish TLS connectivity to certain addresses. Eventually we tracked the issue down to a proxy/middle-box that objected to some of the newer ciphers in the client hello message. I would imagine that we are not the first people to run into this problem.

I am aware you can specify the acceptable ciphers as options in the ssl:connect function, but that is often difficult when a third-party library is in the way.

My proposal is that the developer should be allowed to select the ciphers we wish to support:

  • On start-up via an application argument that specifies a filename of permitted ciphers, for example: -ssl allowed_ciphers_filename "priv/ciphers.dat"
  • Programmatically: ssl:allowed_ciphers/1 where the argument can be a filename or a list of ciphers.
  • The ciphers can be specified as a string or openssl string format.
  • The developer should be permitted to override the global allowed ciphers by specifying alternative ciphers via the ssl:connect options.