使用HTTP2和TLS的Cowboy Web服务器在Chrome中获取ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY [英] Cowboy Webserver using HTTP2 and TLS getting ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY in Chrome

问题描述

我正在使用:Erlang OTP 21和Cowboy 2.4代码:

I'm using: Erlang OTP 21 and Cowboy 2.4 Code:

cowboy:start_tls( 
                  my_listener,
                  [
                      {port, Web_Server_Port},
                      {certfile, Cert_File},
                      {keyfile, Key_File}
                  ],
                  #{env => #{dispatch => dispatcher()}}
                )

我正在使用它来启动Web服务器，该服务器可以在HTTP1.1上正常工作，但是现在Chrome使用的是HTTP2，因此无法将其禁用.所以现在我收到了:

I'm using this to start the web server, which work fine on HTTP1.1,but now Chrome is using HTTP2 and that can't be disabled. So now I'm receiving:

ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

我也遇到了启用HTTP2的Firefox类似问题:

I also experience a similar problem Firefox with HTTP2 enable:

Error code: NS_ERROR_NET_INADEQUATE_SECURITY

但是在Firefox上，我可以禁用HTTP2.禁用HTTP2时，它可以正常工作.我已经验证我的证书是好的，并且在HTTP1.1下获得了绿色锁我已经读到HTTP2对于所使用的密码及其出现的顺序更加严格.

but on Firefox I can disable HTTP2. It work fine when HTTP2 is disabled. I have verified my certificate is good and I get the green lock under HTTP1.1 I have read that HTTP2 is stricter with the ciphers that are used and the order they appear.

修复Chrome中的ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY SSL错误 https://www.jeffgeerling.com/blog/2016/修复errspdyina不足的transportsecurity-ssl-error-chrome 但不确定是否是问题所在.

Fixing ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY SSL error in Chrome https://www.jeffgeerling.com/blog/2016/fixing-errspdyinadequatetransportsecurity-ssl-error-chrome But not sure if that is the problem.

我不确定要使用哪种密码，也不确定如何指示其在牛仔中的使用.我尝试在选项中添加密码选项，但这不能解决问题:

I'm not sure of what ciphers to use also not exactly sure how to indicate their use in cowboy. I have tried adding a cipher option in the options, but this doesn't correct the problem:

{ciphers, [
        {ecdhe_ecdsa,aes_256_cbc,sha384,sha384},
         {ecdhe_rsa,aes_256_cbc,sha384,sha384}, 
         {ecdh_ecdsa,aes_256_cbc,sha384,sha384},
         {ecdh_rsa,aes_256_cbc,sha384,sha384},
         {dhe_rsa,aes_256_cbc,sha256},
         {dhe_dss,aes_256_cbc,sha256},
         {ecdhe_ecdsa,aes_256_cbc,sha},
         {ecdhe_rsa,aes_256_cbc,sha},
         {dhe_rsa,aes_256_cbc,sha},
         {dhe_dss,aes_256_cbc,sha},
         {ecdh_ecdsa,aes_256_cbc,sha},
         {ecdh_rsa,aes_256_cbc,sha},
         {ecdhe_rsa,aes_128_cbc,sha},
         {dhe_rsa,aes_128_cbc,sha},
         {dhe_dss,aes_128_cbc,sha},
         {ecdh_ecdsa,aes_128_cbc,sha},
         {ecdh_rsa,aes_128_cbc,sha}
    ]}

关于我在这里做错什么的任何建议吗?

Any suggestions on what I'm doing wrong here?

推荐答案

HTTP/2 禁止使用旧密码，包括您列出的所有CBC密码.

HTTP/2 forbids the use of old ciphers including all the CBC ciphers you have listed.

启用这样的一些GCM密码，大多数浏览器都应该接受:

Enable some GCM ciphers like this, which should be accepted by most browsers:

{ciphers, ["ECDHE-RSA-AES256-GCM-SHA384"]}

尽管默认情况下它应该允许这些.

Though by default it should allow these.

有关更多信息，请参见此处: http://ezgr.net/increasing-security-erlang-ssl-cowboy/

See here for more information: http://ezgr.net/increasing-security-erlang-ssl-cowboy/

这篇关于使用HTTP2和TLS的Cowboy Web服务器在Chrome中获取ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！