Erlang SSL/TLS and Microsoft IIS compatibility

[sasha....@talkdesk.com]

Hello, I believe Erlang SSL and Microsoft IIS have had some
incompatibilities for some time (IIRC, since Erlang 18.3.3). The cause is
described in this snippet from the Erlang Mailing List:


There are some TLS servers on the internet (Microsoft IIS) that have a
> very strict reading of the tls1.2 rfc (rfc5246 -
> https://tools.ietf.org/html/rfc5246) and if they have a certificate
> which is incompatible with the default signature_algs then they will
> kill the connection. Now people are starting to roll out SHA-256 bit
> certs but SHA-256 certs are not compatible with the default
> signature_algs. When we try to connect to these servers with tls1.2
> the server will close the connection after the client hello.


This has caused us and other Erlang users some difficulties when trying to
send HTTPS requests to application's running on Microsoft IIS. The best
solution we've found so far is to explicitly set the TLS version as being
1.2. However, this is not optimal for our needs since we've got no way of
knowing before hand if the server we're talking to supports TLS 1.2 and we
must support the widest array of servers possible.

Are there any recommendations on what approach we should have to achieve
the same compatibility when dealing with *possible* Microsoft IIS servers?

I'll leave below some more resources on this

http://erlang.2086793.n4.nabble.com/Different-SSL-behaviours-how-to-pick-ciphers-td4717756.html
https://blog.voltone.net/post/9
http://erlang.org/pipermail/erlang-bugs/2016-September/005195.html
http://erlang.org/pipermail/erlang-questions/2017-April/092035.html