Erlang SSL/TLS and Microsoft ISS CompatibilityRSS

4 replies

Last post Jun 09, 2017 04:15 PM by Rovastar

  • Erlang SSL/TLS and Microsoft ISS Compatibility

    Jun 08, 2017 04:00 PM|sashaafm|LINK

    Hello, I believe Erlang SSL and Microsoft IIS have had some incompatibilities for some time (IIRC, since Erlang 18.3.3). The cause is described in this snippet from the Erlang Mailing List:

    There are some TLS servers on the internet (Microsoft IIS) that have a
    very strict reading of the tls1.2 rfc (rfc5246 -
    https://tools.ietf.org/html/rfc5246) and if they have a certificate
    which is incompatible with the default signature_algs then they will
    kill the connection. Now people are starting to roll out SHA-256 bit
    certs but SHA-256 certs are not compatible with the default
    signature_algs. When we try to connect to these servers with tls1.2
    the server will close the connection after the client hello.


    This has caused us and other Erlang users some difficulties when trying to send HTTPS requests to application's running on Microsoft IIS. The best solution we've found so far is to explicitly set the TLS version as being 1.2. However, this is not optimal for our needs since we've got no way of knowing before hand if the server we're talking to supports TLS 1.2 and we must support the widest array of servers possible. 

    Are there any recommendations on what approach we should have to achieve the same compatibility when dealing with *possible* Microsoft IIS servers?

    I'll leave below some more resources on this

    http://erlang.2086793.n4.nabble.com/Different-SSL-behaviours-how-to-pick-ciphers-td4717756.html
    https://blog.voltone.net/post/9
    http://erlang.org/pipermail/erlang-bugs/2016-September/005195.html
    http://erlang.org/pipermail/erlang-questions/2017-April/092035.html

  • Rovastar Rovastar

    5468 Posts

    MVP

    Moderator

    Re: Erlang SSL/TLS and Microsoft ISS Compatibility

    Jun 09, 2017 01:31 AM|Rovastar|LINK

    I have briefly read your links but I don't understand any of it. I have never heard of this erland software and I ahve no idea how you even use it and how it interacts with IIS. Are you running it on IIS? is it a erland a client connecting to iis*shrug* no idea.

    And from my reading it sounds like an issues with this Erland software and I am unclear why IIS is to blame.

    I would suggest you should go back to the devs and get them to fix their SSL implementation. Maybe they should look at what changed from v18.3.3 and earlier versions a nd how it is compatible with strict (or maybe other words) or "correct" rfc implementations.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Rovastar Rovastar

    5468 Posts

    MVP

    Moderator

    Re: Erlang SSL/TLS and Microsoft ISS Compatibility

    Jun 09, 2017 01:43 PM|Rovastar|LINK

    Also check you are not sending the MD5 cipher over TLS 1.2 as this will not work. If indeed you are sending stuff to IIS. Difficult to know what is happening with IIS server logs.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Erlang SSL/TLS and Microsoft ISS Compatibility

    Jun 09, 2017 02:36 PM|sashaafm|LINK

    Hello Rovastar, 

    Erlang is a programming language which is quite popular and widely used. And yes we are indeed speaking to IIS servers. 

    Anyway, 

    In computing, the robustness principle is a general design guideline for software:

    Be conservative in what you do, be liberal in what you accept from others (often reworded as "Be conservative in what you send, be liberal in what you accept").

  • Rovastar Rovastar

    5468 Posts

    MVP

    Moderator

    Re: Erlang SSL/TLS and Microsoft ISS Compatibility

    Jun 09, 2017 04:15 PM|Rovastar|LINK

    Maybe so but I would say you need to follow correct standards.

    First you need to show that you are not doing incorrect practices. Which is for from clear from those basic posts.

    You seem to imply (as this is posted in feature requests) that IIS web server software must change as they are doing something wrong.

    So you need to do more research into what the issue is. What ciphers are you sending? have you tried different ones? Are they compatible with the target server? What software version of IIS and what cipher and TLS configuration do they use? Is this misconfigured?

    Often this will involve in-depth looking at the actual traffic via network traffic tools like Wireshark.

    If you go through that work I'll be happy to help out with more details.

    Troubleshoot IIS in style
    https://www.leansentry.com/