New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos-install hang on https://cache.nixos.org/nix-cache-info (SSL issue ?) #9081

Closed
zimbatm opened this Issue Aug 1, 2015 · 9 comments

Comments

Projects
None yet
3 participants
@zimbatm
Member

zimbatm commented Aug 1, 2015

Using the nixos-minimal-14.12.496.5f7d374-x86_64-linux.iso I am trying to install on vultr

[root@nixos:~]# nixos-install
building the system configuration...
download-from-binary-cache.pl: still waiting for ‘https://cache.nixos.org/nix-cache-info’ after 5 seconds...

curl hangs during the SSL handshake:

[root@nixos:~]# curl -vvvv https://cache.nixos.org/nix-cache-info
* Hostname was NOT found in DNS cache
*   Trying 54.192.195.147...
* Connected to cache.nixos.org (54.192.195.147) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):

the same command without SSL works just fine. It it possible that SSLv3 is not supported by CloudFront anymore ?

@vcunat

This comment has been minimized.

Member

vcunat commented Aug 2, 2015

My curl succeeds with TLSv1.2. IIRC SSLv3 is deprecated and currently being disallowed on various places, though I don't see if that would cause this problem. Your version of curl succeeds for me with a slightly different log:

SSLv3, TLS handshake, Client hello (1):
[...]
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

Could it be just some temporary problem? If not, your part of curl log doesn't show any error.

@zimbatm

This comment has been minimized.

Member

zimbatm commented Aug 2, 2015

Thanks for taking the time to test it with the same curl version. I have a different-one on my machine that initiates the connection with TLSv1.2 so I assumed that was the issue.
I don't understand why CloudFront would work using HTTP but not HTTPS unless it was a software error. I have seen situations where the responses get lost but then the TCP handshake wouldn't complete and plain HTTP wouldn't work.
After running the same command a lot of time I had one instance where the response would hang after the HTTP headers being returned.

@zimbatm

This comment has been minimized.

Member

zimbatm commented Aug 2, 2015

It's definitely a routing problem. I changed the MTU from 1500 to 1000 and everything seem to be going fine now.

@zimbatm zimbatm closed this Aug 2, 2015

@zimbatm

This comment has been minimized.

Member

zimbatm commented Aug 2, 2015

thanks for listening :)

@zimbatm

This comment has been minimized.

Member

zimbatm commented Aug 2, 2015

https://en.wikipedia.org/wiki/Path_MTU_Discovery#Problems

It seems like someone is blocking Path MTU Discovery. Ping messages bigger than 1448 don't seem to work.

> ping -n -M do -s 1448 cache.nixos.org
PING d3m36hgdyp4koz.cloudfront.net (54.230.60.122) 1448(1476) bytes of data.
1456 bytes from 54.230.60.122: icmp_seq=1 ttl=55 time=31.1 ms
1456 bytes from 54.230.60.122: icmp_seq=2 ttl=55 time=30.2 ms
> ping -n -M do -s 1449 cache.nixos.org
...
@vcunat

This comment has been minimized.

Member

vcunat commented Aug 2, 2015

It might be a location-dependent cloudfront problem. I found a report of a MTU problem.

@zimbatm

This comment has been minimized.

Member

zimbatm commented Aug 2, 2015

Thanks again for your help. I've raised an issue with Vultr, let's see what
else they can find out.

Most of these issues seem so mechanical to find, I'm surprised there is not
a tool that checks everything (DNS, routing, MTU path discovery, SSL
negociation, HTTP protocol, ...) and make a report that points to the most
likely error.

On Sun, 2 Aug 2015 at 13:11 Vladimír Čunát notifications@github.com wrote:

It might be a location-dependent cloudfront problem. I found a report of a MTU
problem https://forums.aws.amazon.com/thread.jspa?threadID=121976.


Reply to this email directly or view it on GitHub
#9081 (comment).

@obadz

This comment has been minimized.

Contributor

obadz commented May 14, 2016

@zimbatm, how do you change the MTU?

@zimbatm

This comment has been minimized.

Member

zimbatm commented May 14, 2016

for testing use ifconfig enp0s3 mtu 1450 (wherer enp0s3 is your network
interface name and 1450 the new MTU)

if you want to set it for the next reboot you can set it in your
/etc/nixos/configuration.nix file

{
networking.interfaces.enp0s3.mtu = 1450;
}

On Sat, 14 May 2016 at 20:58 obadz notifications@github.com wrote:

@zimbatm https://github.com/zimbatm, how do you change the MTU?


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#9081 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment