What situation will happen ？SSL: hello: ssl_alert.erl:88:Fatal error: illegal parameter

emmm · August 29, 2023, 2:26pm

Hello everyone！
My application has encountered errors requesting graph.facebook.com since yesterday.Until then, it had been working properly！
OPT19
Using httpc:request/4,error message：

SSL: hello: ssl_alert.erl:88:Fatal error: illegal parameter
{failed_connect,[{to_address,{"graph.facebook.com",443}}, {inet,[inet],{tls_alert,"illegal parameter"}}]}

I guess it was during the SSL handshake phase that the failure occurred, perhaps due to the replacement of the certificate by FB?

What I want now is to understand what happened to somehow avoid it in the future, so I am asking for collective mind’s help

ingela · August 30, 2023, 7:20am

OTP-19 is really old!. Starting OTP-20 ssl application will by default do the hostname check (that is not really part of TLS protocol but that should be performed by ssl clients). So httpc has in later versions been extended to use hostname configureation options and os-cacerts.

Latest verison gives me:


httpc:request("https://graph.facebook.com:443").

{ok,{{"HTTP/1.1",400,"Bad Request"},
     [{"cache-control","no-store"},
      {"connection","keep-alive"},
      {"date","Wed, 30 Aug 2023 07:13:54 GMT"},
      {"pragma","no-cache"},
      {"vary","Origin"},
      {"www-authenticate",
       "OAuth \"Facebook Platform\" \"invalid_request\" \"Unsupported get request. Please read the Graph API documentation at https://developers.facebook.com/docs/graph-api\""},
      {"content-length","241"},
      {"content-type","text/javascript; charset=UTF-8"},
      {"expires","Sat, 01 Jan 2000 00:00:00 GMT"},
      {"access-control-allow-origin","*"},
      {"facebook-api-version","v11.0"},
      {"strict-transport-security","max-age=15552000; preload"},
      {"x-fb-request-id","AIafgQ29lZwjt_A2LVPcpHV"},
      {"x-fb-trace-id","GhwC0WFmf66"},
      {"x-fb-rev","1008343745"},
      {"x-fb-debug",
       "+8bxcRSerxdaPJQAXCWcrmTQosGjU4W2XpoiH7FEb6cTqaT3JBG4jB4hjag6FffF4C3DG2Hp5Yng3GLQrEeh0g=="},
      {"alt-svc","h3=\":443\"; ma=86400"}],
     "{\"error\":{\"message\":\"Unsupported get request. Please read the Graph API documentation at https:\\/\\/developers.facebook.com\\/docs\\/graph-api\",\"type\":\"GraphMethodException\",\"code\":100,\"error_subcode\":33,\"fbtrace_id\":\"AIafgQ29lZwjt_A2LVPcpHV\"}}"}}

emmm · August 30, 2023, 7:45am

Yes, the OTP-19 is indeed a bit old, but it has been working fine before. I figured something must have been tweaked by fb to cause this error. But I can’t get any more information. Now I can only use os:cmd/1 to execute the curl command instead of it.

ingela · August 30, 2023, 8:26am

So you still using OTP-19, I would recommend upgrading. They probably updated their cert/server configuration and now you need more configuration of your connection to make it work.

mworrell · August 30, 2023, 8:27am

This has been happening before with OTP-19 and accessing Google services. Google started to use more modern ciphers which are not supported by OTP-19. If I remember correctly, you will need to upgrade to OTP 20 or 21.

ingela · August 30, 2023, 10:08am

Why not upgrade to OTP-26 while you are at it and avoid possible issues that was long since fixed and gain access to all the latest algorithms? If you depend on legacy algorithms you might need to add explicitly configuration for that though. But otherwise you will be much better off!

emmm · August 30, 2023, 11:55am

Yes, upgrading the OTP is a big project for me, and the app is already at the end of its life. I don’t want to spend too much time on this.

emmm · August 30, 2023, 11:57am

This is a project from a few years ago. I have upgraded to OTP22 for new projects.

ingela · August 30, 2023, 1:59pm

OTP-22 is also kind of old!

emmm · August 31, 2023, 2:57am

We are more conservative when it comes to upgrades unless absolutely necessary.

ingela · August 31, 2023, 8:53am

Security tends to be absolutely necessary …

emmm · August 31, 2023, 9:13am

I agree