search

Agoric / dapp-inter-jumper

Jumper page for dapp-inter
0 stars 3 forks source link

SSL Error Trying to Visit Dapp #13

Open samsiegart opened 1 year ago

samsiegart commented 1 year ago

When going to app.inter.trade, it redirects to the cf-ipfs URL but the page fails to load. Refreshing a few times seems to fix it. This only happens occasionally.

Screenshot 2023-06-30 at 7 39 42 PM
samsiegart commented 11 months ago

We've been seeing this issue more frequently now reported by several users. Personally I find that refreshing over and over does not get around the error anymore.

samsiegart commented 11 months ago

It might be something to do with the ISP, but difficult to track down the root cause. Potential course of action could be to inquire with cloudflare, or look into other ipfs hosting methods such as fleek.co or https://www.pinata.cloud/

mhofman commented 10 months ago

I got a clean trace.

the error is SSL_R_WRONG_VERSION_NUMBER: 247 triggered from https://github.com/google/boringssl/blob/b6e0eba6e62333652290514e51b75b966b27b27c/ssl/tls_record.cc#L231C28-L231C54

The relevant parts of the trace:

Connection 1 Trace: ``` t=1524 [st=21] +SSL_CONNECT [dt=4] t=1525 [st=22] SSL_HANDSHAKE_MESSAGE_SENT --> bytes = 01 00 02 2B 03 03 B3 BD 5C B5 43 B5 F3 97 E0 A2 . .+....\.C..... 95 69 AA 3F 8D D1 BB F7 3C C6 75 2D 4F FD EB 75 .i.?....<.u-O..u 1A 50 F7 59 72 EE 20 F4 E2 90 9A 77 A5 26 E2 4E .P.Yr. ....w.&.N EA 32 2D 63 A8 02 1A 5B 29 39 82 FA B3 29 0C 50 .2-c...[)9...).P C0 79 3D B2 E8 41 00 00 20 1A 1A 13 01 13 02 13 .y=..A ....... 03 C0 2B C0 2F C0 2C C0 30 CC A9 CC A8 C0 13 C0 ..+./.,.0....... 14 00 9C 00 9D 00 2F 00 35 01 00 01 C2 EA EA 00 . . . / 5. .... 00 00 12 00 00 00 05 00 05 01 00 00 00 00 00 33 . . .. 3 00 2B 00 29 9A 9A 00 01 00 00 1D 00 20 C6 42 24 + ).. . . .B$ 06 E4 4B 89 EE 46 A8 57 B5 21 F1 8F 46 26 E0 6C ..K..F.W.!..F&.l E9 B9 0B 4B BD 64 5E FF 71 52 9C 3B 75 00 0D 00 ...K.d^.qR.;u . 12 00 10 04 03 08 04 04 01 05 03 08 05 05 01 08 . .............. 06 06 01 00 17 00 00 00 2B 00 07 06 9A 9A 03 04 ... . + ...... 03 03 FE 0D 00 BA 00 00 01 00 01 4C 00 20 53 85 .... . . .L S. D2 85 C6 79 D4 BA C6 22 FA E4 1E AA 57 D9 3F 09 ...y..."....W.?. DA A8 21 63 EA 76 E2 A4 F8 19 3E 97 84 33 00 90 ..!c.v....>..3 . 3B AA 82 D1 FC E0 90 11 F9 CF 0F CD F3 72 9E 3F ;............r.? 8D 73 F8 7D 28 30 AE A0 DD D4 0D 61 14 ED A8 43 .s.}(0.....a...C E2 4D 1B 34 95 EA D6 4E 79 7D 93 82 1F 67 D1 24 .M.4...Ny}...g.$ EC CD 10 1A 80 5E E2 4B A8 CF 5A 68 0A 61 03 84 .....^.K..Zh.a.. 0A 38 F9 3F 6D 4B 9E 00 80 C7 7C 8B 39 8E 4F FE .8.?mK. ..|.9.O. 44 61 CE 6C 5E A3 C4 A1 DC 1B 3A 06 1B C4 9E 45 Da.l^.....:....E 45 BB BC FC C8 6D C0 02 EB 33 51 CE A7 48 F9 AE E....m...3Q..H.. 8E F7 A4 C1 20 A6 4A EE F4 B0 A2 CB 44 4F 4E 41 .... .J.....DONA 91 28 27 9D 02 38 EE 6D 0F 56 E4 AD EC D8 6D 40 .('..8.m.V....m@ 00 2D 00 02 01 01 FF 01 00 01 00 44 69 00 05 00 - ..... . Di . 03 02 68 32 00 23 00 00 00 0A 00 0A 00 08 9A 9A ..h2 # . . ... 00 1D 00 17 00 18 00 00 00 51 00 4F 00 00 4C 62 . . . Q O Lb 61 66 79 62 65 69 67 64 33 6F 76 77 68 79 74 65 afybeigd3ovwhyte 68 34 6E 79 33 61 76 76 72 33 32 6F 6B 35 7A 64 h4ny3avvr32ok5zd 78 69 6C 6E 67 6F 7A 34 36 76 6E 73 78 74 61 64 xilngoz46vnsxtad 66 71 61 78 74 6E 75 77 34 34 2E 69 70 66 73 2E fqaxtnuw44.ipfs. 63 66 2D 69 70 66 73 2E 63 6F 6D 00 10 00 0E 00 cf-ipfs.com . . 0C 02 68 32 08 68 74 74 70 2F 31 2E 31 00 1B 00 ..h2.http/1.1 . 03 02 00 02 00 0B 00 02 01 00 7A 7A 00 01 00 .. . . .. zz . --> type = 1 t=1525 [st=22] SOCKET_BYTES_SENT --> byte_count = 564 t=1528 [st=25] SOCKET_BYTES_RECEIVED --> byte_count = 256 t=1528 [st=25] SOCKET_BYTES_SENT --> byte_count = 7 t=1528 [st=25] SSL_ALERT_SENT --> bytes = 02 46 .F t=1528 [st=25] SSL_HANDSHAKE_ERROR --> error_lib = 16 --> error_reason = 247 --> file = "..\\..\\third_party\\boringssl\\src\\ssl\\tls_record.cc" --> line = 231 --> net_error = -107 (ERR_SSL_PROTOCOL_ERROR) --> ssl_error = 1 t=1528 [st=25] -SSL_CONNECT --> net_error = -107 (ERR_SSL_PROTOCOL_ERROR) t=1528 [st=25] SOCKET_CLOSED ``` Parsed handshake: ``` [ { "ClientHello": { "version": "Tls12", "random_data": "d6b934ab78a49e24c639117a3217f486aa0dabb9836cd783aaa87242db81648", "session_id": "34cd5d2133a54314db2484f8b220b9f40ac843d6ec5f3e8cf29f374f0e7dfb7", "cipherlist": [ "0xbaba(Unknown cipher)", "0x1301(TLS_AES_128_GCM_SHA256)", "0x1302(TLS_AES_256_GCM_SHA384)", "0x1303(TLS_CHACHA20_POLY1305_SHA256)", "0xc02b(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)", "0xc02f(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)", "0xc02c(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)", "0xc030(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)", "0xcca9(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)", "0xcca8(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)", "0xc013(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)", "0xc014(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)", "0x009c(TLS_RSA_WITH_AES_128_GCM_SHA256)", "0x009d(TLS_RSA_WITH_AES_256_GCM_SHA384)", "0x002f(TLS_RSA_WITH_AES_128_CBC_SHA)", "0x0035(TLS_RSA_WITH_AES_256_CBC_SHA)" ], "compressionlist": [ "Null" ], "extensions": [ "TlsExtension::Grease(0x8a8a,data=[])", "TlsExtension::SignatureAlgorithms([\"ecdsa_secp256r1_sha256\", \"rsa_pss_rsae_sha256\", \"rsa_pkcs1_sha256\", \"ecdsa_secp384r1_sha384\", \"rsa_pss_rsae_sha384\", \"rsa_pkcs1_sha384\", \"rsa_pss_rsae_sha512\", \"rsa_pkcs1_sha512\"])", "TlsExtension::StatusRequest(Some((OCSP, [0, 0, 0, 0])))", "TlsExtension::SupportedVersions(v=[\"TlsVersion(35466 / 0x8a8a)\", \"Tls13\", \"Tls12\"])", "TlsExtension::PskExchangeModes([1])", "TlsExtension::KeyShare(data=[00 29 fa fa 00 01 00 00 1d 00 20 ec 73 21 17 3a 7f cd 7e cf c6 bb b7 1e ff ab 65 93 08 78 aa 10 3b 9c 08 40 0a b4 69 3e e3 b6 55])", "TlsExtension::SessionTicket(data=[])", "TlsExtension::RenegotiationInfo(data=[])", "TlsExtension::ExtendedMasterSecret", "TlsExtension::SNI([\"type=HostName,name=bafybeigd3ovwhyteh4ny3avvr32ok5zdxilngoz46vnsxtadfqaxtnuw44.ipfs.cf-ipfs.com\"])", "TlsExtension::EllipticCurves([\"NamedGroup(64250 / 0xfafa)\", \"EcdhX25519\", \"Secp256r1\", \"Secp384r1\"])", "TlsExtension::Unknown(type=0x4469,data=[0, 3, 2, 104, 50])", "TlsExtension::Unknown(type=0xfe0d,data=[0, 0, 1, 0, 1, 188, 0, 32, 88, 187, 130, 5, 161, 173, 82, 134, 237, 0, 152, 151, 30, 76, 53, 252, 176, 107, 151, 74, 198, 134, 38, 100, 185, 15, 204, 19, 56, 122, 115, 93, 0, 144, 139, 195, 35, 67, 65, 63, 171, 135, 137, 145, 137, 21, 51, 246, 68, 184, 164, 53, 89, 105, 179, 206, 249, 59, 210, 30, 13, 180, 139, 226, 114, 197, 110, 116, 245, 207, 209, 195, 213, 196, 88, 5, 28, 123, 47, 213, 63, 202, 121, 202, 252, 245, 74, 206, 153, 3, 186, 102, 91, 38, 235, 41, 32, 149, 62, 244, 81, 69, 156, 237, 54, 35, 159, 136, 14, 216, 155, 120, 127, 162, 23, 11, 239, 153, 8, 218, 63, 143, 7, 174, 248, 235, 68, 241, 126, 183, 103, 211, 23, 75, 133, 47, 43, 157, 142, 20, 201, 83, 234, 69, 139, 240, 254, 38, 152, 255, 223, 180, 112, 236, 67, 169, 219, 9, 253, 130, 76, 103, 220, 62, 8, 117, 48, 212, 144, 87, 82, 42, 248, 105, 156, 173, 35, 152])", "TlsExtension::ALPN([\"h2\", \"http/1.1\"])", "TlsExtension::Unknown(type=0x1b,data=[2, 0, 2])", "TlsExtension::SignedCertificateTimestamp(data=None)", "TlsExtension::EcPointFormats([0])", "TlsExtension::Grease(0xaaaa,data=[00])" ] } } ] ```
Connection 2 Trace: ``` t=1567 [st=39] +SSL_CONNECT [dt=4] t=1567 [st=39] SSL_HANDSHAKE_MESSAGE_SENT --> bytes = 01 00 02 2B 03 03 D6 B9 34 AB 78 A4 9E 02 4C 63 . .+....4.x...Lc 91 17 A3 21 7F 48 6A A0 DA BB 98 36 CD 78 3A AA ...!.Hj....6.x:. 87 24 2D B8 16 48 20 34 CD 5D 21 33 A5 43 14 DB .$-..H 4.]!3.C.. 24 84 F8 B2 20 B9 F4 00 AC 84 3D 6E C5 F3 E8 CF $... .. ..=n.... 29 F3 74 F0 E7 DF B7 00 20 BA BA 13 01 13 02 13 ).t.... ....... 03 C0 2B C0 2F C0 2C C0 30 CC A9 CC A8 C0 13 C0 ..+./.,.0....... 14 00 9C 00 9D 00 2F 00 35 01 00 01 C2 8A 8A 00 . . . / 5. .... 00 00 0D 00 12 00 10 04 03 08 04 04 01 05 03 08 . . .......... 05 05 01 08 06 06 01 00 05 00 05 01 00 00 00 00 ....... . .. 00 2B 00 07 06 8A 8A 03 04 03 03 00 2D 00 02 01 + ........ - .. 01 00 33 00 2B 00 29 FA FA 00 01 00 00 1D 00 20 . 3 + ).. . . EC 73 21 17 3A 7F CD 7E CF C6 BB B7 1E FF AB 65 .s!.:..~.......e 93 08 78 AA 10 3B 9C 08 40 0A B4 69 3E E3 B6 55 ..x..;..@..i>..U 00 23 00 00 FF 01 00 01 00 00 17 00 00 00 00 00 # .. . . 51 00 4F 00 00 4C 62 61 66 79 62 65 69 67 64 33 Q O Lbafybeigd3 6F 76 77 68 79 74 65 68 34 6E 79 33 61 76 76 72 ovwhyteh4ny3avvr 33 32 6F 6B 35 7A 64 78 69 6C 6E 67 6F 7A 34 36 32ok5zdxilngoz46 76 6E 73 78 74 61 64 66 71 61 78 74 6E 75 77 34 vnsxtadfqaxtnuw4 34 2E 69 70 66 73 2E 63 66 2D 69 70 66 73 2E 63 4.ipfs.cf-ipfs.c 6F 6D 00 0A 00 0A 00 08 FA FA 00 1D 00 17 00 18 om . . ... . . . 44 69 00 05 00 03 02 68 32 FE 0D 00 BA 00 00 01 Di . ..h2.. . . 00 01 BC 00 20 58 BB 82 05 A1 AD 52 86 ED 00 98 .. X.....R.. . 97 1E 4C 35 FC B0 6B 97 4A C6 86 26 64 B9 0F CC ..L5..k.J..&d... 13 38 7A 73 5D 00 90 8B C3 23 43 41 3F AB 87 89 .8zs] ...#CA?... 91 89 15 33 F6 44 B8 A4 35 59 69 B3 CE F9 3B D2 ...3.D..5Yi...;. 1E 0D B4 8B E2 72 C5 6E 74 F5 CF D1 C3 D5 C4 58 .....r.nt......X 05 1C 7B 2F D5 3F CA 79 CA FC F5 4A CE 99 03 BA ..{/.?.y...J.... 66 5B 26 EB 29 20 95 3E F4 51 45 9C ED 36 23 9F f[&.) .>.QE..6#. 88 0E D8 9B 78 7F A2 17 0B EF 99 08 DA 3F 8F 07 ....x........?.. AE F8 EB 44 F1 7E B7 67 D3 17 4B 85 2F 2B 9D 8E ...D.~.g..K./+.. 14 C9 53 EA 45 8B F0 FE 26 98 FF DF B4 70 EC 43 ..S.E...&....p.C A9 DB 09 FD 82 4C 67 DC 3E 08 75 30 D4 90 57 52 .....Lg.>.u0..WR 2A F8 69 9C AD 23 98 00 10 00 0E 00 0C 02 68 32 *.i..#. . . ..h2 08 68 74 74 70 2F 31 2E 31 00 1B 00 03 02 00 02 .http/1.1 . .. . 00 12 00 00 00 0B 00 02 01 00 AA AA 00 01 00 . . .. .. . --> type = 1 t=1567 [st=39] SOCKET_BYTES_SENT --> byte_count = 564 t=1571 [st=43] SOCKET_BYTES_RECEIVED --> byte_count = 256 t=1571 [st=43] SOCKET_BYTES_SENT --> byte_count = 7 t=1571 [st=43] SSL_ALERT_SENT --> bytes = 02 46 .F t=1571 [st=43] SSL_HANDSHAKE_ERROR --> error_lib = 16 --> error_reason = 247 --> file = "..\\..\\third_party\\boringssl\\src\\ssl\\tls_record.cc" --> line = 231 --> net_error = -107 (ERR_SSL_PROTOCOL_ERROR) --> ssl_error = 1 t=1571 [st=43] -SSL_CONNECT --> net_error = -107 (ERR_SSL_PROTOCOL_ERROR) t=1571 [st=43] SOCKET_CLOSED ``` Parsed handshake: ``` [ { "ClientHello": { "version": "Tls12", "random_data": "b3bd5cb543b5f397e0a29569aa3f8dd1bbf73cc6752d4ffdeb751a50f75972ee", "session_id": "f4e2909a77a526e24eea322d63a821a5b293982fab329c50c0793db2e8410", "cipherlist": [ "0x1a1a(Unknown cipher)", "0x1301(TLS_AES_128_GCM_SHA256)", "0x1302(TLS_AES_256_GCM_SHA384)", "0x1303(TLS_CHACHA20_POLY1305_SHA256)", "0xc02b(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)", "0xc02f(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)", "0xc02c(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)", "0xc030(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)", "0xcca9(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)", "0xcca8(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)", "0xc013(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)", "0xc014(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)", "0x009c(TLS_RSA_WITH_AES_128_GCM_SHA256)", "0x009d(TLS_RSA_WITH_AES_256_GCM_SHA384)", "0x002f(TLS_RSA_WITH_AES_128_CBC_SHA)", "0x0035(TLS_RSA_WITH_AES_256_CBC_SHA)" ], "compressionlist": [ "Null" ], "extensions": [ "TlsExtension::Grease(0xeaea,data=[])", "TlsExtension::SignedCertificateTimestamp(data=None)", "TlsExtension::StatusRequest(Some((OCSP, [0, 0, 0, 0])))", "TlsExtension::KeyShare(data=[00 29 9a 9a 00 01 00 00 1d 00 20 c6 42 24 06 e4 4b 89 ee 46 a8 57 b5 21 f1 8f 46 26 e0 6c e9 b9 0b 4b bd 64 5e ff 71 52 9c 3b 75])", "TlsExtension::SignatureAlgorithms([\"ecdsa_secp256r1_sha256\", \"rsa_pss_rsae_sha256\", \"rsa_pkcs1_sha256\", \"ecdsa_secp384r1_sha384\", \"rsa_pss_rsae_sha384\", \"rsa_pkcs1_sha384\", \"rsa_pss_rsae_sha512\", \"rsa_pkcs1_sha512\"])", "TlsExtension::ExtendedMasterSecret", "TlsExtension::SupportedVersions(v=[\"TlsVersion(39578 / 0x9a9a)\", \"Tls13\", \"Tls12\"])", "TlsExtension::Unknown(type=0xfe0d,data=[0, 0, 1, 0, 1, 76, 0, 32, 83, 133, 210, 133, 198, 121, 212, 186, 198, 34, 250, 228, 30, 170, 87, 217, 63, 9, 218, 168, 33, 99, 234, 118, 226, 164, 248, 25, 62, 151, 132, 51, 0, 144, 59, 170, 130, 209, 252, 224, 144, 17, 249, 207, 15, 205, 243, 114, 158, 63, 141, 115, 248, 125, 40, 48, 174, 160, 221, 212, 13, 97, 20, 237, 168, 67, 226, 77, 27, 52, 149, 234, 214, 78, 121, 125, 147, 130, 31, 103, 209, 36, 236, 205, 16, 26, 128, 94, 226, 75, 168, 207, 90, 104, 10, 97, 3, 132, 10, 56, 249, 63, 109, 75, 158, 0, 128, 199, 124, 139, 57, 142, 79, 254, 68, 97, 206, 108, 94, 163, 196, 161, 220, 27, 58, 6, 27, 196, 158, 69, 69, 187, 188, 252, 200, 109, 192, 2, 235, 51, 81, 206, 167, 72, 249, 174, 142, 247, 164, 193, 32, 166, 74, 238, 244, 176, 162, 203, 68, 79, 78, 65, 145, 40, 39, 157, 2, 56, 238, 109, 15, 86, 228, 173, 236, 216, 109, 64])", "TlsExtension::PskExchangeModes([1])", "TlsExtension::RenegotiationInfo(data=[])", "TlsExtension::Unknown(type=0x4469,data=[0, 3, 2, 104, 50])", "TlsExtension::SessionTicket(data=[])", "TlsExtension::EllipticCurves([\"NamedGroup(39578 / 0x9a9a)\", \"EcdhX25519\", \"Secp256r1\", \"Secp384r1\"])", "TlsExtension::SNI([\"type=HostName,name=bafybeigd3ovwhyteh4ny3avvr32ok5zdxilngoz46vnsxtadfqaxtnuw44.ipfs.cf-ipfs.com\"])", "TlsExtension::ALPN([\"h2\", \"http/1.1\"])", "TlsExtension::Unknown(type=0x1b,data=[2, 0, 2])", "TlsExtension::EcPointFormats([0])", "TlsExtension::Grease(0x7a7a,data=[00])" ] } } ] ```
mhofman commented 10 months ago

I am strongly suspecting this is some "ISP protection system" blocking the request. In the case of XFinity, their "advanced protection" system is notorious for being whimsical in its blocking attempts. It would be interesting to see if this issue reproduces with such systems disabled.

I would also love to get a dump of the handshake response seen by Chrome as erroneous.

It might be possible to capture with Wireshark, or simply through curl (if it gets blocked/intercepted): curl --trace - --no-progress-meter -o /dev/null https://bafybeigd3ovwhyteh4ny3avvr32ok5zdxilngoz46vnsxtadfqaxtnuw44.ipfs.cf-ipfs.com/

If this is indeed a content filtering system causing issues, I'm not sure what solution is while keeping IPFS hosting.

samsiegart commented 10 months ago

Seems like safebrowse, which apparently my ISP (xfinity) uses, is blocking cf-ipfs and other gateways (see screenshots below). For me, the only gateways that work that support origin are dweb.link and nftstorage.link (which seems to redirect to dweb when I try to access the dapp-inter hash). I've had mixed results with dweb.link, sometimes it times out and isn't able to load the dapp, even though it can ping the TLD successfully.

I don't see a good way to get around this. If we simply ping each gateway before redirecting, it could be the case that they don't have the app bundle readily available and the app doesn't load. If we try and load the whole app, maybe just loading the bundle directly from the jumper page to be more sure, requesting from multiple gateways concurrently, it would result in a lot of large requests at once, and there's no guarantee any of them would work as described above.

Apparently this safebrowse thing is able to be turned off through my xfinity settings, which I could try doing, but I'm not sure it's reasonable to expect/instruct users to turn that off. Hopefully cloudflare can take this up with the ISP and get it fixed long term. We have an ongoing support ticket with them and have updated it with this info, currently pending their next response.

image image