Skip to content

Fix cipher_suite: :strong failing on OTP 28 #1292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
chrismccord wants to merge 1 commit into from
Closed

Fix cipher_suite: :strong failing on OTP 28 #1292

chrismccord wants to merge 1 commit into from

Conversation

@chrismccord
Copy link
Contributor

@chrismccord chrismccord commented Dec 8, 2025

OTP 28 added stricter validation for SSL options. The secure_renegotiate and reuse_sessions options are only valid for TLS 1.2 and earlier (renegotiation was removed in TLS 1.3, replaced by key updates).

The current code flow in Plug.SSL.configure/1:

  1. set_secure_defaults/1 runs first - adds secure_renegotiate: true because :ssl.versions()[:supported] includes TLS 1.2
  2. set_strong_tls_defaults/1 runs second - sets versions: [:"tlsv1.3"]

Result: Both secure_renegotiate: true AND versions: [:"tlsv1.3"] are set, which OTP 28 rejects as incompatible.

To fix, after applying TLS version defaults in set_strong_tls_defaults/1, check if the final versions list contains only TLS 1.3. If so, remove secure_renegotiate and reuse_sessions.

ref: phoenixframework/phoenix#6557

@chrismccord
Fix cipher_suite: :strong failing on OTP 28
eac8bb7 
OTP 28 added stricter validation for SSL options. The `secure_renegotiate`
and `reuse_sessions` options are only valid for TLS 1.2 and earlier
(renegotiation was removed in TLS 1.3, replaced by key updates).

The current code flow in `Plug.SSL.configure/1`:

1. `set_secure_defaults/1` runs first - adds `secure_renegotiate: true`
because `:ssl.versions()[:supported]` includes TLS 1.2
2. `set_strong_tls_defaults/1` runs second - sets `versions: [:"tlsv1.3"]`

Result: Both `secure_renegotiate: true` AND `versions: [:"tlsv1.3"]` are
set, which OTP 28 rejects as incompatible.

To fix, after applying TLS version defaults in `set_strong_tls_defaults/1`, check
if the final versions list contains only TLS 1.3. If so, remove
`secure_renegotiate` and `reuse_sessions`.

ref: phoenixframework/phoenix#6557
@chrismccord
Copy link
Contributor Author

chrismccord commented Dec 8, 2025

note, this is a vibed starting point. Need more eyes on it as it involves SSL

@chrismccord chrismccord marked this pull request as draft December 8, 2025 20:52
@chrismccord
Copy link
Contributor Author

chrismccord commented Dec 9, 2025

actaully looks like this is redundant with 7b778c2. Will await plug info versions from phoenix issue and reopen if necessary.

@chrismccord chrismccord closed this Dec 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chrismccord