SSL Error Trying to Visit Dapp

[samsiegart]

When going to app.inter.trade, it redirects to the cf-ipfs URL but the page fails to load. Refreshing a few times seems to fix it. This only happens occasionally.

[samsiegart]

We've been seeing this issue more frequently now reported by several users. Personally I find that refreshing over and over does not get around the error anymore.

[samsiegart]

It might be something to do with the ISP, but difficult to track down the root cause. Potential course of action could be to inquire with cloudflare, or look into other ipfs hosting methods such as fleek.co or https://www.pinata.cloud/

[mhofman]

I got a clean trace.

the error is SSL_R_WRONG_VERSION_NUMBER: 247 triggered from https://github.com/google/boringssl/blob/b6e0eba6e62333652290514e51b75b966b27b27c/ssl/tls_record.cc#L231C28-L231C54

The relevant parts of the trace:

Connection 1

Trace:

t=1524 [st=21]   +SSL_CONNECT  [dt=4]
t=1525 [st=22]      SSL_HANDSHAKE_MESSAGE_SENT
                    --> bytes =
                      01 00 02 2B 03 03 B3 BD  5C B5 43 B5 F3 97 E0 A2   . .+....\.C.....
                      95 69 AA 3F 8D D1 BB F7  3C C6 75 2D 4F FD EB 75   .i.?....<.u-O..u
                      1A 50 F7 59 72 EE 20 F4  E2 90 9A 77 A5 26 E2 4E   .P.Yr. ....w.&.N
                      EA 32 2D 63 A8 02 1A 5B  29 39 82 FA B3 29 0C 50   .2-c...[)9...).P
                      C0 79 3D B2 E8 41 00 00  20 1A 1A 13 01 13 02 13   .y=..A   .......
                      03 C0 2B C0 2F C0 2C C0  30 CC A9 CC A8 C0 13 C0   ..+./.,.0.......
                      14 00 9C 00 9D 00 2F 00  35 01 00 01 C2 EA EA 00   . . . / 5. .... 
                      00 00 12 00 00 00 05 00  05 01 00 00 00 00 00 33     .   . ..     3
                      00 2B 00 29 9A 9A 00 01  00 00 1D 00 20 C6 42 24    + ).. .  .  .B$
                      06 E4 4B 89 EE 46 A8 57  B5 21 F1 8F 46 26 E0 6C   ..K..F.W.!..F&.l
                      E9 B9 0B 4B BD 64 5E FF  71 52 9C 3B 75 00 0D 00   ...K.d^.qR.;u . 
                      12 00 10 04 03 08 04 04  01 05 03 08 05 05 01 08   . ..............
                      06 06 01 00 17 00 00 00  2B 00 07 06 9A 9A 03 04   ... .   + ......
                      03 03 FE 0D 00 BA 00 00  01 00 01 4C 00 20 53 85   .... .  . .L  S.
                      D2 85 C6 79 D4 BA C6 22  FA E4 1E AA 57 D9 3F 09   ...y..."....W.?.
                      DA A8 21 63 EA 76 E2 A4  F8 19 3E 97 84 33 00 90   ..!c.v....>..3 .
                      3B AA 82 D1 FC E0 90 11  F9 CF 0F CD F3 72 9E 3F   ;............r.?
                      8D 73 F8 7D 28 30 AE A0  DD D4 0D 61 14 ED A8 43   .s.}(0.....a...C
                      E2 4D 1B 34 95 EA D6 4E  79 7D 93 82 1F 67 D1 24   .M.4...Ny}...g.$
                      EC CD 10 1A 80 5E E2 4B  A8 CF 5A 68 0A 61 03 84   .....^.K..Zh.a..
                      0A 38 F9 3F 6D 4B 9E 00  80 C7 7C 8B 39 8E 4F FE   .8.?mK. ..|.9.O.
                      44 61 CE 6C 5E A3 C4 A1  DC 1B 3A 06 1B C4 9E 45   Da.l^.....:....E
                      45 BB BC FC C8 6D C0 02  EB 33 51 CE A7 48 F9 AE   E....m...3Q..H..
                      8E F7 A4 C1 20 A6 4A EE  F4 B0 A2 CB 44 4F 4E 41   .... .J.....DONA
                      91 28 27 9D 02 38 EE 6D  0F 56 E4 AD EC D8 6D 40   .('..8.m.V....m@
                      00 2D 00 02 01 01 FF 01  00 01 00 44 69 00 05 00    - ..... . Di . 
                      03 02 68 32 00 23 00 00  00 0A 00 0A 00 08 9A 9A   ..h2 #   . . ...
                      00 1D 00 17 00 18 00 00  00 51 00 4F 00 00 4C 62    . . .   Q O  Lb
                      61 66 79 62 65 69 67 64  33 6F 76 77 68 79 74 65   afybeigd3ovwhyte
                      68 34 6E 79 33 61 76 76  72 33 32 6F 6B 35 7A 64   h4ny3avvr32ok5zd
                      78 69 6C 6E 67 6F 7A 34  36 76 6E 73 78 74 61 64   xilngoz46vnsxtad
                      66 71 61 78 74 6E 75 77  34 34 2E 69 70 66 73 2E   fqaxtnuw44.ipfs.
                      63 66 2D 69 70 66 73 2E  63 6F 6D 00 10 00 0E 00   cf-ipfs.com . . 
                      0C 02 68 32 08 68 74 74  70 2F 31 2E 31 00 1B 00   ..h2.http/1.1 . 
                      03 02 00 02 00 0B 00 02  01 00 7A 7A 00 01 00      .. . . .. zz . 
                    --> type = 1
t=1525 [st=22]      SOCKET_BYTES_SENT
                    --> byte_count = 564
t=1528 [st=25]      SOCKET_BYTES_RECEIVED
                    --> byte_count = 256
t=1528 [st=25]      SOCKET_BYTES_SENT
                    --> byte_count = 7
t=1528 [st=25]      SSL_ALERT_SENT
                    --> bytes =
                      02 46                                              .F
t=1528 [st=25]      SSL_HANDSHAKE_ERROR
                    --> error_lib = 16
                    --> error_reason = 247
                    --> file = "..\\..\\third_party\\boringssl\\src\\ssl\\tls_record.cc"
                    --> line = 231
                    --> net_error = -107 (ERR_SSL_PROTOCOL_ERROR)
                    --> ssl_error = 1
t=1528 [st=25]   -SSL_CONNECT
                  --> net_error = -107 (ERR_SSL_PROTOCOL_ERROR)
t=1528 [st=25]    SOCKET_CLOSED

Parsed handshake:

[
  {
    "ClientHello": {
      "version": "Tls12",
      "random_data": "d6b934ab78a49e24c639117a3217f486aa0dabb9836cd783aaa87242db81648",
      "session_id": "34cd5d2133a54314db2484f8b220b9f40ac843d6ec5f3e8cf29f374f0e7dfb7",
      "cipherlist": [
        "0xbaba(Unknown cipher)",
        "0x1301(TLS_AES_128_GCM_SHA256)",
        "0x1302(TLS_AES_256_GCM_SHA384)",
        "0x1303(TLS_CHACHA20_POLY1305_SHA256)",
        "0xc02b(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)",
        "0xc02f(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)",
        "0xc02c(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)",
        "0xc030(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)",
        "0xcca9(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)",
        "0xcca8(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)",
        "0xc013(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)",
        "0xc014(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)",
        "0x009c(TLS_RSA_WITH_AES_128_GCM_SHA256)",
        "0x009d(TLS_RSA_WITH_AES_256_GCM_SHA384)",
        "0x002f(TLS_RSA_WITH_AES_128_CBC_SHA)",
        "0x0035(TLS_RSA_WITH_AES_256_CBC_SHA)"
      ],
      "compressionlist": [
        "Null"
      ],
      "extensions": [
        "TlsExtension::Grease(0x8a8a,data=[])",
        "TlsExtension::SignatureAlgorithms([\"ecdsa_secp256r1_sha256\", \"rsa_pss_rsae_sha256\", \"rsa_pkcs1_sha256\", \"ecdsa_secp384r1_sha384\", \"rsa_pss_rsae_sha384\", \"rsa_pkcs1_sha384\", \"rsa_pss_rsae_sha512\", \"rsa_pkcs1_sha512\"])",
        "TlsExtension::StatusRequest(Some((OCSP, [0, 0, 0, 0])))",
        "TlsExtension::SupportedVersions(v=[\"TlsVersion(35466 / 0x8a8a)\", \"Tls13\", \"Tls12\"])",
        "TlsExtension::PskExchangeModes([1])",
        "TlsExtension::KeyShare(data=[00 29 fa fa 00 01 00 00 1d 00 20 ec 73 21 17 3a 7f cd 7e cf c6 bb b7 1e ff ab 65 93 08 78 aa 10 3b 9c 08 40 0a b4 69 3e e3 b6 55])",
        "TlsExtension::SessionTicket(data=[])",
        "TlsExtension::RenegotiationInfo(data=[])",
        "TlsExtension::ExtendedMasterSecret",
        "TlsExtension::SNI([\"type=HostName,name=bafybeigd3ovwhyteh4ny3avvr32ok5zdxilngoz46vnsxtadfqaxtnuw44.ipfs.cf-ipfs.com\"])",
        "TlsExtension::EllipticCurves([\"NamedGroup(64250 / 0xfafa)\", \"EcdhX25519\", \"Secp256r1\", \"Secp384r1\"])",
        "TlsExtension::Unknown(type=0x4469,data=[0, 3, 2, 104, 50])",
        "TlsExtension::Unknown(type=0xfe0d,data=[0, 0, 1, 0, 1, 188, 0, 32, 88, 187, 130, 5, 161, 173, 82, 134, 237, 0, 152, 151, 30, 76, 53, 252, 176, 107, 151, 74, 198, 134, 38, 100, 185, 15, 204, 19, 56, 122, 115, 93, 0, 144, 139, 195, 35, 67, 65, 63, 171, 135, 137, 145, 137, 21, 51, 246, 68, 184, 164, 53, 89, 105, 179, 206, 249, 59, 210, 30, 13, 180, 139, 226, 114, 197, 110, 116, 245, 207, 209, 195, 213, 196, 88, 5, 28, 123, 47, 213, 63, 202, 121, 202, 252, 245, 74, 206, 153, 3, 186, 102, 91, 38, 235, 41, 32, 149, 62, 244, 81, 69, 156, 237, 54, 35, 159, 136, 14, 216, 155, 120, 127, 162, 23, 11, 239, 153, 8, 218, 63, 143, 7, 174, 248, 235, 68, 241, 126, 183, 103, 211, 23, 75, 133, 47, 43, 157, 142, 20, 201, 83, 234, 69, 139, 240, 254, 38, 152, 255, 223, 180, 112, 236, 67, 169, 219, 9, 253, 130, 76, 103, 220, 62, 8, 117, 48, 212, 144, 87, 82, 42, 248, 105, 156, 173, 35, 152])",
        "TlsExtension::ALPN([\"h2\", \"http/1.1\"])",
        "TlsExtension::Unknown(type=0x1b,data=[2, 0, 2])",
        "TlsExtension::SignedCertificateTimestamp(data=None)",
        "TlsExtension::EcPointFormats([0])",
        "TlsExtension::Grease(0xaaaa,data=[00])"
      ]
    }
  }
]

Connection 2

Trace:

t=1567 [st=39]   +SSL_CONNECT  [dt=4]
t=1567 [st=39]      SSL_HANDSHAKE_MESSAGE_SENT
                    --> bytes =
                      01 00 02 2B 03 03 D6 B9  34 AB 78 A4 9E 02 4C 63   . .+....4.x...Lc
                      91 17 A3 21 7F 48 6A A0  DA BB 98 36 CD 78 3A AA   ...!.Hj....6.x:.
                      87 24 2D B8 16 48 20 34  CD 5D 21 33 A5 43 14 DB   .$-..H 4.]!3.C..
                      24 84 F8 B2 20 B9 F4 00  AC 84 3D 6E C5 F3 E8 CF   $... .. ..=n....
                      29 F3 74 F0 E7 DF B7 00  20 BA BA 13 01 13 02 13   ).t....  .......
                      03 C0 2B C0 2F C0 2C C0  30 CC A9 CC A8 C0 13 C0   ..+./.,.0.......
                      14 00 9C 00 9D 00 2F 00  35 01 00 01 C2 8A 8A 00   . . . / 5. .... 
                      00 00 0D 00 12 00 10 04  03 08 04 04 01 05 03 08     . . ..........
                      05 05 01 08 06 06 01 00  05 00 05 01 00 00 00 00   ....... . ..    
                      00 2B 00 07 06 8A 8A 03  04 03 03 00 2D 00 02 01    + ........ - ..
                      01 00 33 00 2B 00 29 FA  FA 00 01 00 00 1D 00 20   . 3 + ).. .  .  
                      EC 73 21 17 3A 7F CD 7E  CF C6 BB B7 1E FF AB 65   .s!.:..~.......e
                      93 08 78 AA 10 3B 9C 08  40 0A B4 69 3E E3 B6 55   ..x..;[email protected]>..U
                      00 23 00 00 FF 01 00 01  00 00 17 00 00 00 00 00    #  .. .  .     
                      51 00 4F 00 00 4C 62 61  66 79 62 65 69 67 64 33   Q O  Lbafybeigd3
                      6F 76 77 68 79 74 65 68  34 6E 79 33 61 76 76 72   ovwhyteh4ny3avvr
                      33 32 6F 6B 35 7A 64 78  69 6C 6E 67 6F 7A 34 36   32ok5zdxilngoz46
                      76 6E 73 78 74 61 64 66  71 61 78 74 6E 75 77 34   vnsxtadfqaxtnuw4
                      34 2E 69 70 66 73 2E 63  66 2D 69 70 66 73 2E 63   4.ipfs.cf-ipfs.c
                      6F 6D 00 0A 00 0A 00 08  FA FA 00 1D 00 17 00 18   om . . ... . . .
                      44 69 00 05 00 03 02 68  32 FE 0D 00 BA 00 00 01   Di . ..h2.. .  .
                      00 01 BC 00 20 58 BB 82  05 A1 AD 52 86 ED 00 98    ..  X.....R.. .
                      97 1E 4C 35 FC B0 6B 97  4A C6 86 26 64 B9 0F CC   ..L5..k.J..&d...
                      13 38 7A 73 5D 00 90 8B  C3 23 43 41 3F AB 87 89   .8zs] ...#CA?...
                      91 89 15 33 F6 44 B8 A4  35 59 69 B3 CE F9 3B D2   ...3.D..5Yi...;.
                      1E 0D B4 8B E2 72 C5 6E  74 F5 CF D1 C3 D5 C4 58   .....r.nt......X
                      05 1C 7B 2F D5 3F CA 79  CA FC F5 4A CE 99 03 BA   ..{/.?.y...J....
                      66 5B 26 EB 29 20 95 3E  F4 51 45 9C ED 36 23 9F   f[&.) .>.QE..6#.
                      88 0E D8 9B 78 7F A2 17  0B EF 99 08 DA 3F 8F 07   ....x........?..
                      AE F8 EB 44 F1 7E B7 67  D3 17 4B 85 2F 2B 9D 8E   ...D.~.g..K./+..
                      14 C9 53 EA 45 8B F0 FE  26 98 FF DF B4 70 EC 43   ..S.E...&....p.C
                      A9 DB 09 FD 82 4C 67 DC  3E 08 75 30 D4 90 57 52   .....Lg.>.u0..WR
                      2A F8 69 9C AD 23 98 00  10 00 0E 00 0C 02 68 32   *.i..#. . . ..h2
                      08 68 74 74 70 2F 31 2E  31 00 1B 00 03 02 00 02   .http/1.1 . .. .
                      00 12 00 00 00 0B 00 02  01 00 AA AA 00 01 00       .   . .. .. . 
                    --> type = 1
t=1567 [st=39]      SOCKET_BYTES_SENT
                    --> byte_count = 564
t=1571 [st=43]      SOCKET_BYTES_RECEIVED
                    --> byte_count = 256
t=1571 [st=43]      SOCKET_BYTES_SENT
                    --> byte_count = 7
t=1571 [st=43]      SSL_ALERT_SENT
                    --> bytes =
                      02 46                                              .F
t=1571 [st=43]      SSL_HANDSHAKE_ERROR
                    --> error_lib = 16
                    --> error_reason = 247
                    --> file = "..\\..\\third_party\\boringssl\\src\\ssl\\tls_record.cc"
                    --> line = 231
                    --> net_error = -107 (ERR_SSL_PROTOCOL_ERROR)
                    --> ssl_error = 1
t=1571 [st=43]   -SSL_CONNECT
                  --> net_error = -107 (ERR_SSL_PROTOCOL_ERROR)
t=1571 [st=43]    SOCKET_CLOSED

Parsed handshake:

[
  {
    "ClientHello": {
      "version": "Tls12",
      "random_data": "b3bd5cb543b5f397e0a29569aa3f8dd1bbf73cc6752d4ffdeb751a50f75972ee",
      "session_id": "f4e2909a77a526e24eea322d63a821a5b293982fab329c50c0793db2e8410",
      "cipherlist": [
        "0x1a1a(Unknown cipher)",
        "0x1301(TLS_AES_128_GCM_SHA256)",
        "0x1302(TLS_AES_256_GCM_SHA384)",
        "0x1303(TLS_CHACHA20_POLY1305_SHA256)",
        "0xc02b(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)",
        "0xc02f(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)",
        "0xc02c(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)",
        "0xc030(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)",
        "0xcca9(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)",
        "0xcca8(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)",
        "0xc013(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)",
        "0xc014(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)",
        "0x009c(TLS_RSA_WITH_AES_128_GCM_SHA256)",
        "0x009d(TLS_RSA_WITH_AES_256_GCM_SHA384)",
        "0x002f(TLS_RSA_WITH_AES_128_CBC_SHA)",
        "0x0035(TLS_RSA_WITH_AES_256_CBC_SHA)"
      ],
      "compressionlist": [
        "Null"
      ],
      "extensions": [
        "TlsExtension::Grease(0xeaea,data=[])",
        "TlsExtension::SignedCertificateTimestamp(data=None)",
        "TlsExtension::StatusRequest(Some((OCSP, [0, 0, 0, 0])))",
        "TlsExtension::KeyShare(data=[00 29 9a 9a 00 01 00 00 1d 00 20 c6 42 24 06 e4 4b 89 ee 46 a8 57 b5 21 f1 8f 46 26 e0 6c e9 b9 0b 4b bd 64 5e ff 71 52 9c 3b 75])",
        "TlsExtension::SignatureAlgorithms([\"ecdsa_secp256r1_sha256\", \"rsa_pss_rsae_sha256\", \"rsa_pkcs1_sha256\", \"ecdsa_secp384r1_sha384\", \"rsa_pss_rsae_sha384\", \"rsa_pkcs1_sha384\", \"rsa_pss_rsae_sha512\", \"rsa_pkcs1_sha512\"])",
        "TlsExtension::ExtendedMasterSecret",
        "TlsExtension::SupportedVersions(v=[\"TlsVersion(39578 / 0x9a9a)\", \"Tls13\", \"Tls12\"])",
        "TlsExtension::Unknown(type=0xfe0d,data=[0, 0, 1, 0, 1, 76, 0, 32, 83, 133, 210, 133, 198, 121, 212, 186, 198, 34, 250, 228, 30, 170, 87, 217, 63, 9, 218, 168, 33, 99, 234, 118, 226, 164, 248, 25, 62, 151, 132, 51, 0, 144, 59, 170, 130, 209, 252, 224, 144, 17, 249, 207, 15, 205, 243, 114, 158, 63, 141, 115, 248, 125, 40, 48, 174, 160, 221, 212, 13, 97, 20, 237, 168, 67, 226, 77, 27, 52, 149, 234, 214, 78, 121, 125, 147, 130, 31, 103, 209, 36, 236, 205, 16, 26, 128, 94, 226, 75, 168, 207, 90, 104, 10, 97, 3, 132, 10, 56, 249, 63, 109, 75, 158, 0, 128, 199, 124, 139, 57, 142, 79, 254, 68, 97, 206, 108, 94, 163, 196, 161, 220, 27, 58, 6, 27, 196, 158, 69, 69, 187, 188, 252, 200, 109, 192, 2, 235, 51, 81, 206, 167, 72, 249, 174, 142, 247, 164, 193, 32, 166, 74, 238, 244, 176, 162, 203, 68, 79, 78, 65, 145, 40, 39, 157, 2, 56, 238, 109, 15, 86, 228, 173, 236, 216, 109, 64])",
        "TlsExtension::PskExchangeModes([1])",
        "TlsExtension::RenegotiationInfo(data=[])",
        "TlsExtension::Unknown(type=0x4469,data=[0, 3, 2, 104, 50])",
        "TlsExtension::SessionTicket(data=[])",
        "TlsExtension::EllipticCurves([\"NamedGroup(39578 / 0x9a9a)\", \"EcdhX25519\", \"Secp256r1\", \"Secp384r1\"])",
        "TlsExtension::SNI([\"type=HostName,name=bafybeigd3ovwhyteh4ny3avvr32ok5zdxilngoz46vnsxtadfqaxtnuw44.ipfs.cf-ipfs.com\"])",
        "TlsExtension::ALPN([\"h2\", \"http/1.1\"])",
        "TlsExtension::Unknown(type=0x1b,data=[2, 0, 2])",
        "TlsExtension::EcPointFormats([0])",
        "TlsExtension::Grease(0x7a7a,data=[00])"
      ]
    }
  }
]

[mhofman]

I am strongly suspecting this is some "ISP protection system" blocking the request. In the case of XFinity, their "advanced protection" system is notorious for being whimsical in its blocking attempts. It would be interesting to see if this issue reproduces with such systems disabled.

I would also love to get a dump of the handshake response seen by Chrome as erroneous.

It might be possible to capture with Wireshark, or simply through curl (if it gets blocked/intercepted):
curl --trace - --no-progress-meter -o /dev/null https://bafybeigd3ovwhyteh4ny3avvr32ok5zdxilngoz46vnsxtadfqaxtnuw44.ipfs.cf-ipfs.com/

If this is indeed a content filtering system causing issues, I'm not sure what solution is while keeping IPFS hosting.

[samsiegart]

Seems like safebrowse, which apparently my ISP (xfinity) uses, is blocking cf-ipfs and other gateways (see screenshots below). For me, the only gateways that work that support origin are dweb.link and nftstorage.link (which seems to redirect to dweb when I try to access the dapp-inter hash). I've had mixed results with dweb.link, sometimes it times out and isn't able to load the dapp, even though it can ping the TLD successfully.

I don't see a good way to get around this. If we simply ping each gateway before redirecting, it could be the case that they don't have the app bundle readily available and the app doesn't load. If we try and load the whole app, maybe just loading the bundle directly from the jumper page to be more sure, requesting from multiple gateways concurrently, it would result in a lot of large requests at once, and there's no guarantee any of them would work as described above.

Apparently this safebrowse thing is able to be turned off through my xfinity settings, which I could try doing, but I'm not sure it's reasonable to expect/instruct users to turn that off. Hopefully cloudflare can take this up with the ISP and get it fixed long term. We have an ongoing support ticket with them and have updated it with this info, currently pending their next response.