Plug.SSL does not support TLS 1.3-only configurations on OTP 23

[voltone]

Plug.SSL's cipher configuration does not currently allow a TLS 1.3-only configuration on OTP 23.0 or later. This is not about adding TLS 1.3 as part of the cipher_suite: [:strong | : compatible], though that's something we should consider as well.

A working configuration with TLS 1.2 + 1.3 might be:

{Plug.Cowboy, scheme: :https, plug: MyApp, options: [
  # ...snip...
  ciphers: :ssl.cipher_suites(:default, :"tlsv1.2") ++ :ssl.cipher_suites(:default, :"tlsv1.3"),
  versions: [:"tlsv1.2", :"tlsv1.3"]
]}

When removing TLS 1.2...

{Plug.Cowboy, scheme: :https, plug: MyApp, options: [
  # ...snip...
  ciphers: :ssl.cipher_suites(:default, :"tlsv1.3"),
  versions: [:"tlsv1.3"]
]}

...the server fails to start with the following error:

shutdown: failed to start child: {:ranch_listener_sup, MyApp.HTTPS}
    ** (EXIT) shutdown: failed to start child: :ranch_acceptors_sup
        ** (EXIT) {:listen_error, MyApp.HTTPS, {:options, :dependency, {:secure_renegotiate, {:versions, [:tlsv1, :"tlsv1.1", :"tlsv1.2"]}}}}

Unfortunately it seems the :ssl options are rejected because :secure_renegotiate is not applicable to TLS 1.3. Overriding this flag and setting it to false does not help. The same error is triggered by some other options that are set by Plug by default. See also this thread.

I hope I'll have some time to work on a PR soonish, but in the meantime I thought I'd document the issue in case others run into it.

[adrigonzo]

I've created a fix for the Plug package here: #1011

[josevalim]

Hi @voltone, quick ping to check if there is something to be done here.

[voltone]

#1011 looks like a reasonable fix, though I agree with @hauleth's comment there