Unfortunately, my attempt resulted in TLS errors from both browsers and command line tools. In the process I uncovered issues with intermediate bundles and elliptic curve selections, as well as a configuration optimization. When you buy a certificate for your site, you’re likely to also receive an intermediate bundle. If this bundle is excluded, the browser won’t trust the connection, since it can’t verify each link of the chain. Erlang will now send the entire certificate chain to the browser during the connection, and the browser can trust the connection. At this point, I expected to be done.

Chrome’s debugging logs provided no additional information. This message includes the highest TLS version supported, lists of supported cipher suites and compression algorithms, and other TLS extensions, including a list of known named elliptic curves. TLS version, the cipher suite, the compression algorithm, and any additional TLS extensions. The specifics of how the session key is generated is outside the scope of this primer. Both supported by the browser. ECDHE public key used to derive the shared key.

The ECDHE public key and signature follows. While Erlang supports all 25 elliptic curves named in RFC4492, common browsers only support a smaller subset of two or three. Erlang’s early support of elliptic curves are problematic. When picking an elliptic curve, Erlang does not consider the list of supported curves sent by the browser.

Erlang's SSL library has defaults for the TLS versions, cipher suites and renegotiation behavior. You may want to change these options for client compatibility and for resiliency to TLS attacks. Then, I tested the connection with a TLS scanner or a network protocol analyzer. This information was incorrectly included from an earlier draft. My patch did not land in CouchDB 1. CouchDB has since been reorganized into multiple repos, but my patch continues to be in place for a future stable release.

