IIS Feature Feedback
Erlang SSL/TLS and Microsoft ISS Compatibility
Last post Jun 09, 2017 04:15 PM by Rovastar
Jun 08, 2017 04:00 PM|sashaafm|LINK
Hello, I believe Erlang SSL and Microsoft IIS have had some incompatibilities for some time (IIRC, since Erlang 18.3.3). The cause is described in this snippet from the Erlang Mailing List:
There are some TLS servers on the internet (Microsoft IIS) that have a
very strict reading of the tls1.2 rfc (rfc5246 -
https://tools.ietf.org/html/rfc5246) and if they have a certificate
which is incompatible with the default signature_algs then they will
kill the connection. Now people are starting to roll out SHA-256 bit
certs but SHA-256 certs are not compatible with the default
signature_algs. When we try to connect to these servers with tls1.2
the server will close the connection after the client hello.
This has caused us and other Erlang users some difficulties when trying to send HTTPS requests to application's running on Microsoft IIS. The best solution we've found so far is to explicitly set the TLS version as being 1.2. However, this is not optimal for
our needs since we've got no way of knowing before hand if the server we're talking to supports TLS 1.2 and we must support the widest array of servers possible.
Are there any recommendations on what approach we should have to achieve the same compatibility when dealing with *possible* Microsoft IIS servers?
I'll leave below some more resources on this
Jun 09, 2017 01:31 AM|Rovastar|LINK
I have briefly read your links but I don't understand any of it. I have never heard of this erland software and I ahve no idea how you even use it and how it interacts with IIS. Are you running it on IIS? is it a erland a client connecting to iis*shrug*
And from my reading it sounds like an issues with this Erland software and I am unclear why IIS is to blame.
I would suggest you should go back to the devs and get them to fix their SSL implementation. Maybe they should look at what changed from v18.3.3 and earlier versions a nd how it is compatible with strict (or maybe other words) or "correct" rfc implementations.
Jun 09, 2017 01:43 PM|Rovastar|LINK
Also check you are not sending the MD5 cipher over TLS 1.2 as this will not work. If indeed you are sending stuff to IIS. Difficult to know what is happening with IIS server logs.
Jun 09, 2017 02:36 PM|sashaafm|LINK
Erlang is a programming language which is quite popular and widely used. And yes we are indeed speaking to IIS servers.
In computing, the robustness principle is a general design guideline for software:
Jun 09, 2017 04:15 PM|Rovastar|LINK
Maybe so but I would say you need to follow correct standards.
First you need to show that you are not doing incorrect practices. Which is for from clear from those basic posts.
You seem to imply (as this is posted in feature requests) that IIS web server software must change as they are doing something wrong.
So you need to do more research into what the issue is. What ciphers are you sending? have you tried different ones? Are they compatible with the target server? What software version of IIS and what cipher and TLS configuration do they use? Is this misconfigured?
Often this will involve in-depth looking at the actual traffic via network traffic tools like Wireshark.
If you go through that work I'll be happy to help out with more details.