SSL handshake_decode_error
查看布署在Amazon服务器上的日志时,发现如下错误:
generated SERVER ALERT: Fatal - Handshake Failure - handshake_decode_error
虽然依然可以正常登录服务器,但是这条错误信息还是让我无法静下心来。google到一个讨论组帖子:
https://groups.google.com/forum/#!topic/rabbitmq-users/wB7vU-P2dns
摘录其中的重要内容如下:
“Sorry for jumping onto this old thread - we ran into the same issue after upgrading from Erlang 16 to 19.Took a lot of time running tcpdump and ssldump before we found that clients use SSL-2.0 compatible hello message.It is not really the same as using SSLv2 because clients still support better TLS protocols which they announce in the hello message, but the message itself is 2.0 format.
{v2_hello_compatible, boolean()}
If true, the server accepts clients that send hello messages on SSL-2.0 format but offers supported SSL/TLS versions. Defaults to false, that is the server will not interoperate with clients that offers SSL-2.0.
So adding that {v2_hello_compatible, true} to ssl options solves the issue.”
于是我在cowboy的启动函数start_tls的TransportOpts参数中增加相关选项,如下:
cowboy:start_tls(xxx_listener,
[{port, 123456}, {v2_hello_compatible, true}, {cacertfile, xxx}, {certfile, xxx}, {keyfile, xxx}],
#{env=>#{dispatch => Dispatch}}),
...
在cowboy的文档中可以看到start_tls函数的声明:
https://ninenines.eu/docs/en/cowboy/2.4/manual/cowboy.start_tls/
其中参数TransportOpts为ranch_ssl:opts()类型,见文档:
https://ninenines.eu/docs/en/ranch/1.5/manual/ranch_ssl/
ssl_opt类型包括v2_hello_compatible选项。
至于实际效果还要进一步布署后看具体的日志。