Issue with TLS enabled
Closed this issue ยท 9 comments
After development on macos I have moved the code to a production Ubuntu host, however after installing certs and enabling TLS i am getting the below errors:
11.01.23 18:19:59.989 dream.http WARN TLS (10.16.8.58:58360): SSL accept() error: error:1408F09C:SSL routines:ssl3_get_record:http request
11.01.23 18:19:59.989 dream.http WARN Raised by primitive operation at Lwt_ssl.ssl_accept.(fun) in file "src/lwt_ssl.ml", line 82, characters 31-48
11.01.23 18:19:59.990 dream.http WARN Called from Lwt_ssl.wrap_call in file "src/lwt_ssl.ml", line 47, characters 4-8
11.01.23 18:19:59.990 dream.http WARN Re-raised at Lwt_ssl.wrap_call in file "src/lwt_ssl.ml", line 57, characters 7-14
11.01.23 18:19:59.990 dream.http WARN Called from Lwt_ssl.repeat_call.(fun) in file "src/lwt_ssl.ml", line 63, characters 15-31
11.01.23 18:19:59.990 dream.http WARN Re-raised at Dream__http__Http.openssl.(fun) in file "src/http/http.ml", line 332, characters 6-1023
Hi. I noticed these errors also using certain clients such as httpie but not from curl. Might not be a solution for you but I place the dream server behind a proxy and let that handle tls/certs etc and just route http.
I will close this off, and off load the TLS to another device.
Reopening this to remind myself to try to reproduce it. Do you recall what client you were using? This seems like an upstream issue, but something that Dream or upstream projects will want to fix.
I was able to cause "some" errors by trying to access the HTTPS example with curl localhost:8080 and http localhost:8080. I'm not sure if these are the same as what is happening here, but they need to be fixed regardless. The error message logged also needs improvement; I've opened #259 about that.
My previous message is wrong. I made a mistake in not using the https:// scheme with either curl or httpie. curl https://localhost:8080 produces
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
and http https://localhost:8080 produces
http: error: SSLError: HTTPSConnectionPool(host='localhost', port=8080): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:997)'))) while doing a GET request to URL: https://localhost:8080/
The server log also looks fine:
20.04.23 13:58:46.192 dream.http WARN TLS (127.0.0.1:60450): SSL accept() error: error:0A000418:SSL routines::tlsv1 alert unknown ca
20.04.23 13:58:47.862 dream.http WARN TLS (127.0.0.1:60456): SSL accept() error: error:0A000418:SSL routines::tlsv1 alert unknown ca
...which is, I believe, expected with Dream using its own self-signed development certificate. So this issue still needs reproducing with a production certificate.
The error in the original report, routines:ssl3_get_record:http request, corresponds to SSL_R_HTTP_REQUEST, which is only ever triggered by receiving raw HTTP 1 instead of a TLS record. Effectively, it triggers with curl http://..., but not with curl -k https://... with the self-signed certificate. I think its safe to say it will reproduce just the same on a proper certificate.
@devvydeebug, thanks! So in summary, this issue is at its core invalid -- however, the text http request is confusing as you have to be able to interpret that it means "the client is talking HTTP to the server instead of TLS", and the message is unfortunately too brief for that for someone that doesn't have experience with it.
Perhaps we can just close this issue, and having had it here will already aid anyone that searches for this later.
#259 should make the error text appear "sooner" for the log reader's eyes.
We might want to have some kind of hints lookup table for additional text for Dream to print to the log to help developers with this.