On Wed, 15 Mar 2017, at 13:06, Frédéric Audon wrote: > with > > ciphers = undefined > tls_versions = undefined > secure_renegotiate = undefined > > no crash but curl -k https://127.0.0.1:6984/ > > curl: (35) Unknown SSL protocol error in connection to 127.0.0.1:6984
Salut Frédéric Can you please retry with: curl -vsk https://127.0.0.1:6984/ and post the output? Also, your acceptable cipher list is very short, can you try this with a larger list to see if you get the same failure? If you can build from source, try using the very latest 19.3 erlang release and a recent OpenSSL and see if that changes -- SSL support is continually improving in OTP itself. I generally test SSL in erlang using these (very old) certs: https://github.com/mochi/mochiweb/tree/master/examples/https as I know they work, and then swap in my own certs along the way. In any case the issue is simple: either our mochiweb fork, or the underlying OTP release + OpenSSL doesn't have sufficient cipher support for the client you are using. The fix is equally simple - use an SSL terminator in front, haproxy, nginx for example, and hand plain HTTP to CouchDB. While it is *possible* to have Couch working reasonably well without this, you will find as we have, that over time, the SSL support in OTP can be a long way behind what browsers and API clients expect, that there can be a significant performance & memory usage gap, and we have better things to do than fiddling it time & time again or tracking down exactly what a specific problematic browser needs. Patching our mochiweb fork is non-trivial, we have some necessary changes that IIRC since 2.4.0 are not straightforwards to port. > >> > mochiweb_socket:add_unbroken_ciphers_default/1(line:34) <= ^ this is where things start to go wrong... > > I use couchdDB 1.6 with SSL. It works very well. Curious to know if 1.6 uses the same version of OTP & OpenSSL or not. A+ Dave
