What situation will happen ?SSL: hello: ssl_alert.erl:88:Fatal error: illegal parameter

Hello everyone!
My application has encountered errors requesting graph.facebook.com since yesterday.Until then, it had been working properly!
Using httpc:request/4,error message:

SSL: hello: ssl_alert.erl:88:Fatal error: illegal parameter
{failed_connect,[{to_address,{"graph.facebook.com",443}}, {inet,[inet],{tls_alert,"illegal parameter"}}]}

I guess it was during the SSL handshake phase that the failure occurred, perhaps due to the replacement of the certificate by FB?

What I want now is to understand what happened to somehow avoid it in the future, so I am asking for collective mind’s help :rofl: :rofl: :rofl:

OTP-19 is really old!. Starting OTP-20 ssl application will by default do the hostname check (that is not really part of TLS protocol but that should be performed by ssl clients). So httpc has in later versions been extended to use hostname configureation options and os-cacerts.

Latest verison gives me:


{ok,{{"HTTP/1.1",400,"Bad Request"},
      {"date","Wed, 30 Aug 2023 07:13:54 GMT"},
       "OAuth \"Facebook Platform\" \"invalid_request\" \"Unsupported get request. Please read the Graph API documentation at https://developers.facebook.com/docs/graph-api\""},
      {"content-type","text/javascript; charset=UTF-8"},
      {"expires","Sat, 01 Jan 2000 00:00:00 GMT"},
      {"strict-transport-security","max-age=15552000; preload"},
      {"alt-svc","h3=\":443\"; ma=86400"}],
     "{\"error\":{\"message\":\"Unsupported get request. Please read the Graph API documentation at https:\\/\\/developers.facebook.com\\/docs\\/graph-api\",\"type\":\"GraphMethodException\",\"code\":100,\"error_subcode\":33,\"fbtrace_id\":\"AIafgQ29lZwjt_A2LVPcpHV\"}}"}}

Yes, the OTP-19 is indeed a bit old, but it has been working fine before. I figured something must have been tweaked by fb to cause this error. But I can’t get any more information. Now I can only use os:cmd/1 to execute the curl command instead of it.

So you still using OTP-19, I would recommend upgrading. They probably updated their cert/server configuration and now you need more configuration of your connection to make it work.

This has been happening before with OTP-19 and accessing Google services. Google started to use more modern ciphers which are not supported by OTP-19. If I remember correctly, you will need to upgrade to OTP 20 or 21.

1 Like

Why not upgrade to OTP-26 while you are at it and avoid possible issues that was long since fixed and gain access to all the latest algorithms? If you depend on legacy algorithms you might need to add explicitly configuration for that though. But otherwise you will be much better off!

Yes, upgrading the OTP is a big project for me, and the app is already at the end of its life. I don’t want to spend too much time on this.

This is a project from a few years ago. I have upgraded to OTP22 for new projects.

OTP-22 is also kind of old!

1 Like

We are more conservative when it comes to upgrades unless absolutely necessary. :joy: :joy: :joy: :joy:

Security tends to be absolutely necessary :wink:


I agree :smile: