Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS Handshake Issue in WSL2 but not in Host #13233

Closed
2 of 3 tasks
cody-scott opened this issue Feb 8, 2023 · 3 comments
Closed
2 of 3 tasks

TLS Handshake Issue in WSL2 but not in Host #13233

cody-scott opened this issue Feb 8, 2023 · 3 comments
Labels
lifecycle/locked

Comments

@cody-scott
Copy link

cody-scott commented Feb 8, 2023
edited

  • I have tried with the latest version of Docker Desktop
  • I have tried disabling enabled experimental features
  • I have uploaded Diagnostics
  • Diagnostics ID:

Actual behavior

running docker pull hello-world results in Error response from daemon: Get "https://registry-1.docker.io/v2/": net/http: TLS handshake timeout from the client within WSL2. Following this, some websites become unreachable from my windows host.

docker pull hello-world performs as expected from powershell in windows. Image pulls successfully.

curl -iv https://registry-1.docker.io/v2/ from WSL2 container to docker results in successful connections and response.

*   Trying 44.205.64.79:443...
* Connected to registry-1.docker.io (44.205.64.79) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Oct 31 00:00:00 2022 GMT
*  expire date: Nov 30 23:59:59 2023 GMT
*  subjectAltName: host "registry-1.docker.io" matched cert's "*.docker.io"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /v2/ HTTP/1.1
> Host: registry-1.docker.io
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
< content-type: application/json
content-type: application/json
< docker-distribution-api-version: registry/2.0
docker-distribution-api-version: registry/2.0
< www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
< date: Mon, 23 Jan 2023 21:30:13 GMT
date: Mon, 23 Jan 2023 21:30:13 GMT
< content-length: 87
content-length: 87
< strict-transport-security: max-age=31536000
strict-transport-security: max-age=31536000

<
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
* Connection #0 to host registry-1.docker.io left intact

I have a suspicion it is related to VPNKit or something with how its delivering the request back to the host machine from docker. My initial guess was MTU related, but setting all MTU values to be a smaller number (1200) still results in the same error behaviour. Success in windows, fail in WSL2, broken network.

My other guess was it something related to TLS1.2 vs 1.3. From windows docker is negotiating 1.2, but its unclear what WSL2 is trying to do (1.3 or 1.2). Enabling 1.3 in internet settings results in no change.

Wireshark shows Incomplete. ESTABLISHED (7). so it looks like its at least getting started, but then fails.

Time is also in sync between the host/vm.

Expected behavior

successful pull of the image from docker to WSL2 machine

Information

  • Windows Version: 2H22
  • Docker Desktop Version: 4.16.3
  • WSL2 or Hyper-V backend? WSL2
  • Are you running inside a virtualized Windows e.g. on a cloud server or a VM: No

Output of & "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check

Starting diagnostics

[PASS] DD0027: is there available disk space on the host?
[PASS] DD0028: is there available VM disk space?
[PASS] DD0002: does the bootloader have virtualization enabled?
[SKIP] DD0018: does the host support virtualization?
[PASS] DD0001: is the application running?
[PASS] DD0022: is the Virtual Machine Platform Windows Feature enabled?
[PASS] DD0021: is the WSL 2 Windows Feature enabled?
[PASS] DD0024: is WSL installed?
[PASS] DD0025: are WSL distros installed?
[PASS] DD0026: is the WSL LxssManager service running?
[PASS] DD0029: is the WSL 2 Linux filesystem corrupt?
[PASS] DD0035: is the VM time synchronized?
[PASS] DD0017: can a VM be started?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0031: does the Docker API work?
[PASS] DD0013: is the $PATH ok?
[PASS] DD0003: is the Docker CLI working?
[PASS] DD0005: is the user in the docker-users group?
[PASS] DD0038: is the connection to Docker working?
[PASS] DD0014: are the backend processes running?
[PASS] DD0007: is the backend responding?
[PASS] DD0008: is the native API responding?
[PASS] DD0009: is the vpnkit API responding?
[PASS] DD0010: is the Docker API proxy responding?
[PASS] DD0006: is the Docker Desktop Service responding?
[SKIP] DD0030: is the image access management authorized?
[PASS] DD0033: does the host have Internet access?
[PASS] DD0002: does the bootloader have virtualization enabled?
[PASS] DD0018: does the host support virtualization?
[PASS] DD0001: is the application running?
[PASS] DD0022: is the Virtual Machine Platform Windows Feature enabled?
[PASS] DD0021: is the WSL 2 Windows Feature enabled?
[PASS] DD0024: is WSL installed?
[PASS] DD0025: are WSL distros installed?
[PASS] DD0026: is the WSL LxssManager service running?
[PASS] DD0029: is the WSL 2 Linux filesystem corrupt?
[PASS] DD0035: is the VM time synchronized?
[PASS] DD0017: can a VM be started?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0031: does the Docker API work?
[PASS] DD0032: do Docker networks overlap with host IPs?
No fatal errors detected.
@OlegHudyma
Copy link

@namur007 Were you able to resolve this issue?

@cody-scott
Copy link
Author

I actually did. My situation turned out to be related to the windows service OpenSSH Authentication Agent. For some reason it was in manual mode. Once i swapped it to automatic (and rebooted) it has worked fine ever since.

@docker-robot
Copy link

docker-robot bot commented Jun 23, 2023

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

/lifecycle locked

@docker-robot docker-robot bot locked and limited conversation to collaborators Jun 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
lifecycle/locked
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cody-scott @OlegHudyma