ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1123)

My domain is: salty3.pipeos.one

I am running GitHub - saltyrtc/saltyrtc-server-python: SaltyRTC signalling server implementation., which takes in the ssl certificate & key:

saltyrtc-server -v7 serve -p 8765 -tc /etc/letsencrypt/live/salty3.pipeos.one/fullchain.pem -tk /etc/letsencrypt/live/salty3.pipeos.one/privkey.pem -k /root/salty/permanent_key

Then I have an Nginx config that proxies the Websocket requests from port 443 to 8765. See below.

Running the saltyrtc-server in dev mode, without the certificate, works just fine. But, when I run it as above, and my client tries to connect through WebSocket, the SSL handshake fails with ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1123) . I've traced this back to openssl/ssl3_record.c at OpenSSL_1_1_1-stable · openssl/openssl · GitHub

               if ((version >> 8) != SSL3_VERSION_MAJOR) {
                    if (RECORD_LAYER_is_first_record(&s->rlayer)) {
                        /* Go back to start of packet, look at the five bytes
                         * that we have. */
                        p = RECORD_LAYER_get_packet(&s->rlayer);
                        if (strncmp((char *)p, "GET ", 4) == 0 ||
                            strncmp((char *)p, "POST ", 5) == 0 ||
                            strncmp((char *)p, "HEAD ", 5) == 0 ||
                            strncmp((char *)p, "PUT ", 4) == 0) {
                            SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_GET_RECORD,
                                     SSL_R_HTTP_REQUEST);
                            return -1;
                        } else if (strncmp((char *)p, "CONNE", 5) == 0) {
.............

Any suggestions as to what might be the problem?

# /etc/nginx/sites-available/salty3.pipeos.one

map $http_upgrade $connection_upgrade {
    default Upgrade;
    '' close;
}

upstream websocket {
    server 127.0.0.1:8765;
}
server {
            server_name salty3.pipeos.one;

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/salty3.pipeos.one/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/salty3.pipeos.one/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_set_header HOST $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass_request_headers on;
        proxy_pass http://websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

}

Full error: (with some dirty prints that I inserted)

(env39) root@salty2:~/salty# saltyrtc-server -v7 -c serve -p 8765 -tc /etc/letsencrypt/live/salty3.pipeos.one/fullchain.pem -tk /etc/letsencrypt/live/salty3.pipeos.one/privkey.pem -k /root/salty/permanent_key -dhp /etc/letsencrypt/ssl-dhparams.pem
****AAAAA tls_cert /etc/letsencrypt/live/salty3.pipeos.one/fullchain.pem
****AAAAA tls_key /etc/letsencrypt/live/salty3.pipeos.one/privkey.pem
****AAAAA ssl_context <ssl.SSLContext object at 0x7fd3b2747a40>
[2021-02-06 02:31:49.748517] DEBUG: asyncio: Using selector: EpollSelector
Starting
Primary public permanent key: 8fba4aeb0fcf54499c7ef477c42c0292f566e0f5f7ff422f9aa94bb0dd0b031a
****AAAAA before server.serve
****AAAAA post server.serve
[2021-02-06 02:31:49.756832] DEBUG: asyncio: Get address info None:8765, type=<SocketKind.SOCK_STREAM: 1>, flags=<AddressInfo.AI_PASSIVE: 1>
[2021-02-06 02:31:49.758085] DEBUG: asyncio: Getting address info None:8765, type=<SocketKind.SOCK_STREAM: 1>, flags=<AddressInfo.AI_PASSIVE: 1> took 0.230ms: [(<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('0.0.0.0', 8765)), (<AddressFamily.AF_INET6: 10>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('::', 8765, 0, 0))]
[2021-02-06 02:31:49.759790] INFO: asyncio: <Server sockets=(<asyncio.TransportSocket fd=6, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('::', 8765, 0, 0)>, <asyncio.TransportSocket fd=7, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('0.0.0.0', 8765)>)> is serving
[2021-02-06 02:31:49.760216] DEBUG: saltyrtc.server: Server instance: <websockets.server.WebSocketServer object at 0x7fd3b2708c40>
Started
[2021-02-06 02:31:56.639680] DEBUG: asyncio: <Server sockets=(<asyncio.TransportSocket fd=6, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('::', 8765, 0, 0)>, <asyncio.TransportSocket fd=7, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('0.0.0.0', 8765)>)> got a new connection from ('127.0.0.1', 51540): <socket.socket fd=8, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('127.0.0.1', 8765), raddr=('127.0.0.1', 51540)>
[2021-02-06 02:31:56.642475] DEBUG: websockets.protocol: server - state = CONNECTING
[2021-02-06 02:31:56.645267] DEBUG: asyncio: ******AAAA _context <ssl.SSLContext object at 0x7fd3b2747a40>
[2021-02-06 02:31:56.645895] DEBUG: asyncio: <asyncio.sslproto.SSLProtocol object at 0x7fd3b266ec40> starts SSL handshake
[2021-02-06 02:31:56.646661] DEBUG: asyncio: *****AAAAA do_handshake pipe  'UNWRAPPED'
[2021-02-06 02:31:56.647318] DEBUG: asyncio: *****AAAAA do_handshake post wrapbio
[2021-02-06 02:31:56.647763] DEBUG: asyncio: ****AAAAA  feedssldata b''
[2021-02-06 02:31:56.648133] DEBUG: asyncio: ****AAAAA  feedssldata try 'DO_HANDSHAKE'
[2021-02-06 02:31:56.648634] DEBUG: asyncio: ****AAAAA  feedssldata exeption SSLWantReadError(2, 'The operation did not complete (read) (_ssl.c:1123)')
[2021-02-06 02:31:56.649072] DEBUG: asyncio: *****AAAAA do_handshake appdata []
[2021-02-06 02:31:56.649422] DEBUG: asyncio: *****AAAAA do_handshake ssldata []
[2021-02-06 02:31:56.650190] DEBUG: asyncio: ****AAAAA  before feed_ssldata <asyncio.sslproto.SSLProtocol object at 0x7fd3b266ec40>
[2021-02-06 02:31:56.650588] DEBUG: asyncio: ****AAAAA  feedssldata b'GET /ajax-loader.gif HTTP/1.1\r\nHOST: salty3.pipeos.one\r\nConnection: close\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4406.0 Safari/537.36\r\nAccept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Dest: image\r\nReferer: https://salty3.pipeos.one/app1\r\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: __cfduid=d72bd537098796c58ce0959384352ff281612518707\r\n\r\n'
[2021-02-06 02:31:56.651029] DEBUG: asyncio: ****AAAAA  feedssldata try 'DO_HANDSHAKE'
[2021-02-06 02:31:56.651474] DEBUG: asyncio: ****AAAAA  feedssldata exeption SSLError(1, '[SSL: HTTP_REQUEST] http request (_ssl.c:1123)')
[2021-02-06 02:31:56.652913] DEBUG: asyncio: <asyncio.sslproto.SSLProtocol object at 0x7fd3b266ec40>: SSL handshake failed
Traceback (most recent call last):
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 641, in _on_handshake_complete
    raise handshake_exc
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 195, in feed_ssldata
    self._sslobj.do_handshake()
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/ssl.py", line 944, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1123)
[2021-02-06 02:31:56.655172] DEBUG: asyncio: <asyncio.sslproto.SSLProtocol object at 0x7fd3b266ec40>: SSL error in data received
Traceback (most recent call last):
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 538, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 195, in feed_ssldata
    self._sslobj.do_handshake()
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/ssl.py", line 944, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1123)
[2021-02-06 02:31:56.657243] ERROR: asyncio: Error on transport creation for incoming connection
handle_traceback: Handle created at (most recent call last):
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/base_events.py", line 629, in run_until_complete
    self.run_forever()
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/base_events.py", line 596, in run_forever
    self._run_once()
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/base_events.py", line 1882, in _run_once
    handle._run()
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/events.py", line 80, in _run
    self._context.run(self._callback, *self._args)
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/selector_events.py", line 978, in _call_connection_lost
    super()._call_connection_lost(exc)
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/selector_events.py", line 736, in _call_connection_lost
    self._protocol.connection_lost(exc)
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 511, in connection_lost
    self._wakeup_waiter(exc)
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 475, in _wakeup_waiter
    self._waiter.set_exception(exc)
protocol: <websockets.server.WebSocketServerProtocol object at 0x7fd3b2708100>
transport: <asyncio.sslproto._SSLProtocolTransport object at 0x7fd3b1dc3c40>
Traceback (most recent call last):
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/selector_events.py", line 218, in _accept_connection2
    await waiter
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 538, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/asyncio/sslproto.py", line 195, in feed_ssldata
    self._sslobj.do_handshake()
  File "/root/.pyenv/versions/3.9.1/lib/python3.9/ssl.py", line 944, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1123)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Hello @loredanacirstea,

Change that to

proxy_pass https://websocket;

Save the file, reload nginx and try again.

Cheers,
sahsanu

1 Like

It works! Thank you!
Oh wow, this should have been an obvious thing to test.

1 Like

Question: Why would you need to encrypt this connection?
[127.0.0.1:xxxxx > 127.0.0.1:8765 should never leave the same box]
[unless you obfuscated the real IPs and they are actually on two different boxes?]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.