Getting Server error: dispatch(Transport Layer Security Error: Success

[NathanFlurry]

Hello,

I'm having some issues getting TLS running Ubuntu 16.04 x64 with Vapor 2.1.2. I've generated TLS certificates using Cloudflare and placed them in the appropriate directory. However, when I start my application and make a request at the proper domain, I get this error:

Server error: dispatch(Transport Layer Security Error: Success

Identifier: TLS.TLSError.SSL_read (0))
Server error: dispatch(Sockets Error: Socket is closed

Identifier: Sockets.SocketsError.socketIsClosed)
Server error: accept(Sockets Error: Socket is closed

Identifier: Sockets.SocketsError.socketIsClosed)
Server error: accept(Sockets Error: Socket is closed
[previous two lines spammed into the console forever]

This is what I'm using for my servers.json config in production:

{
	"port": "443",
	"securityLayer": "tls",
	"tls": {
		"verifyHost": true,
		"certificates": "files",
		"certificateFile": "/app/Certs/cert.pem",
		"privateKeyFile": "/app/Certs/key.pem",
		"signature": "selfSigned"
	}
}

I can't figure out what's going on, so any help would be much appreciated. Could it be that Vapor is interpreting a success as an error, since it's saying Transport Layer Security Error: Success?

Thanks,
Nathan Flurry

[tanner0101]

It looks like we're testing this exact use case here: https://github.com/vapor/tls/blob/master/Tests/TLSTests/LiveTests.swift#L169-L180. No idea why it would be working there and not for you. Maybe it has something to do w/ the certificates?

If you could submit a method for me to reproduce this that would help a lot.

[popaaaandrei]

Guys, any news?

I got the same error on macOS 10.12.6 with new vapor new test1 --template=web, built using swift build

{
    "port": "8443",
    "host": "0.0.0.0",
    "securityLayer": "tls",
    "tls": {
        "verifyHost": true,
        "certificates": "files",
        "certificateFile": "/Volumes/Documente/Repositories/Test-Vapor/Test-Vapor/Certificates/servercert.pem",
        "privateKeyFile" : "/Volumes/Documente/Repositories/Test-Vapor/Test-Vapor/Certificates/serverkey.pem",
        "signature": "selfSigned"
    }
}

GET /

Server error: dispatch(Transport Layer Security Error: The TLS/SSL connection has been closed.

Identifier: TLS.TLSError.SSL_read (0))
Server error: accept(Sockets Error: Failed trying to accept a new connection

Identifier: Sockets.SocketsError.acceptFailed

Here are some possible causes: 
- `bind` has not been called first
- `listen` has not been called first)
Server error: accept(Sockets Error: Socket is closed

Identifier: Sockets.SocketsError.socketIsClosed)
Server error: accept(Sockets Error: Socket is closed

Identifier: Sockets.SocketsError.socketIsClosed)
Server error: accept(Sockets Error: Socket is closed

Identifier: Sockets.SocketsError.socketIsClosed)
Server error: accept(Sockets Error: Socket is closed

Thank you,
Andrei

[f-meloni]

Hey guys,
I'm having this problem as well, are there any news about this?

[tanner0101]

@popaaaandrei if you try with these certificates does it work: https://github.com/vapor/tls/blob/master/Tests/TLSTests/Certs.swift

The test here seems to be passing so I wonder if it has to do with the certificates you are using.

Either way, I would also recommend using Nginx for TLS if you can.

[popaaaandrei]

@tanner0101 the certificates that I used were self-signed. And using my proposal it worked with curl --insecure. I also need to check with signed certificates but I need to bind to a domain.....

Plus the errors that are reported in this issue are not related to data not being correctly read, its the fact that Socket is closed, because of a bug in public func read(max: Int, into buffer: inout Bytes) throws -> Int

[vzsg]

The test is misleading. The first request seems to succeed (which is covered by the test), but the second and subsequent requests will all fail.

[rgkobashi]

I am having the same issue, the first request succeed but the subsequent fails. Is there any update/fix or work around for this?

[vzsg]

Use nginx for TLS termination and forgive/forget the unfulfilled promise of doing TLS directly with the Vapor 2 server.

[rgkobashi]

What I was trying to do was using TLS on my development machine so I can use https://localhost. Is there another way to achieve this without nginx? And also one question (I don't know if this is the right place though). I am deploying my app to Heroku, is still necessary to set securityLayer or does Heroku handles that? Thanks in advance!

[vzsg]

I'm not aware of any tools that could do it for you, but maybe others are.

On Heroku, you must disable the securityLayer and serve HTTP on the port specified by the system, their network stack will handle TLS (both termination and certificate management) automatically.