HeadlinesBriefing favicon HeadlinesBriefing.com

WolfSSL TLS 1.3 Bug Breaks Erlang/Elixir Connections

Hacker News: Front Page •
×

A critical bug in WolfSSL has emerged that breaks TLS 1.3 connections for Erlang and Elixir applications. The issue stems from WolfSSL's non-compliant implementation of middlebox compatibility mode, which is essential for TLS 1.3 to work through legacy network devices.

TLS 1.3 introduced significant changes that broke many existing network middleboxes, forcing the RFC to include a compatibility mode that lets clients and servers pretend to use TLS 1.2. WolfSSL, however, requires compiling with -DWOLFSSL_TLS13_MIDDLEBOX_COMPAT to enable this feature, and defaults to non-compliant behavior. This decision means WolfSSL cannot be trusted to work correctly with standard TLS 1.3 clients.

The bug specifically affects Erlang/OTP's SSL library, which enables middlebox compatibility by default for safety. As a result, every Elixir/Erlang HTTP client fails when connecting to WolfSSL HTTPS servers using TLS 1.3. The author discovered this while experimenting with WolfSSL-backed Haproxy on FreeBSD, highlighting how alternative SSL libraries can introduce unexpected compatibility issues.