Downloads slow from Windows but not WSL

[jamesivie]

NuGet Product Used

Other/NA

Product Version

website

Worked before?

at least 4 days ago

Impact

I'm unable to use this version

Repro Steps & Context

I'm not sure how this is even possible, and it's the strangest thing I've seen in many years. I've been chasing this for days now through every channel I can. Starting about 3 days ago, I (and several others who have reported this issue on the Visual Studio support forums) started having issues updating assemblies using Visual Studio 2022. dotnet and nuget from the command line are also failing. Trying to download nupkg files manually succeeds but is very slow. When I run "curl https://api.nuget.org/v3-flatcontainer/sixlabors.imagesharp/2.1.8/sixlabors.imagesharp.2.1.8.nupkg -o junk" on Windows from Command Prompt or Powershell the download goes very slow or hangs altogether. However, under WSL on the same machine, it works and it's instant. dotnet and nuget also work under WSL. When I run the exact same command from WSL on the same machine, it downloads instantly (it's something like 100x faster). The issue occurs with all the nupkg files I've tried. I've reproduced this on three separate windows machines. Two are Windows 11 and have the latest patches. One is Windows 10 and hasn't been turned on for months until today to test this issue. Other websites appear to be fine. Other download methods are also slow (tried multiple browsers as well). Disabling the firewall and/or Microsoft Defender has no effect. See attached verbose logs: there appears to be some kind of incompatibility with the encryption currently in use on nuget.org and Windows schannel.dll (even older versions of schannel.dll--so unless you intended to break compatibility with Windows 10 machines, this is your issue, not the Windows team).

Did nuget.org change something with its TLS configuration in the past week or so that could be causing this? It's completely halting work for a lot of people.

Verbose Logs

>curl https://api.nuget.org/v3-flatcontainer/sixlabors.imagesharp/2.1.8/sixlabors.imagesharp.2.1.8.nupkg -o junk -A curl/1.0 -v
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 13.107.246.66:443...
* Connected to api.nuget.org (13.107.246.66) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET /v3-flatcontainer/sixlabors.imagesharp/2.1.8/sixlabors.imagesharp.2.1.8.nupkg HTTP/1.1
> Host: api.nuget.org
> User-Agent: curl/1.0
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: failed to decrypt data, need more data
< HTTP/1.1 200 OK
< Date: Fri, 26 Apr 2024 01:23:36 GMT
< Content-Type: application/octet-stream
< Content-Length: 4522752
< Connection: keep-alive
< Cache-Control: public, max-age=86400
< Last-Modified: Thu, 11 Apr 2024 06:31:50 GMT
< ETag: 0x8DC59F1121A2751
< x-ms-request-id: 18d4f9e7-301e-0036-50bc-963087000000
< x-ms-version: 2009-09-19
< x-ms-meta-da7b2905_0f3c_4262_921c_b1593d1336f1_ESRP_RequestId: dc4ac97b-1b2e-46cf-abfd-c25a9e3d9165
< x-ms-meta-SHA512: uAybk5N8IxYppIRr07gglVh4Un1dCW4KhxQdrpWDBONRVFZTNAFpwTkh5NTVxyKPC4Akvm6jriyzGXTUu6NQqA==
< x-ms-lease-status: unlocked
< x-ms-blob-type: BlockBlob
< Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,x-ms-meta-da7b2905_0f3c_4262_921c_b1593d1336f1_ESRP_RequestId,x-ms-meta-SHA512,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
< Access-Control-Allow-Origin: *
< x-azure-ref: 20240426T012336Z-15c97c8cdddz4g8pk6sd5xqgpc00000008cg00000000n7q1
< x-fd-int-roxy-purgeid: 43765298
< X-Cache: TCP_HIT
< X-Cache-Info: L1_T2
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< x-content-type-options: nosniff
< Accept-Ranges: bytes
<
{ [15217 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
{ [49152 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
  1 4416k    1 64369    0     0  77397      0  0:00:58 --:--:--  0:00:58 77459* schannel: failed to decrypt data, need more data
{ [98304 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
  3 4416k    3  158k    0     0  94159      0  0:00:48  0:00:01  0:00:47 94193* schannel: failed to decrypt data, need more data
{ [98304 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
{ [32768 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
{ [98304 bytes data]
* schannel: failed to decrypt data, need more data
{ [98304 bytes data]
* schannel: failed to decrypt data, need more data
{ [49152 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
{ [32768 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
{ [98304 bytes data]
* schannel: failed to decrypt data, need more data
{ [98304 bytes data]
* schannel: failed to decrypt data, need more data
{ [81920 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
{ [98304 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
{ [32768 bytes data]
* schannel: failed to decrypt data, need more data
{ [98304 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
{ [32768 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
{ [65536 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
{ [65536 bytes data]
* schannel: failed to decrypt data, need more data
{ [16384 bytes data]
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
 31 4416k   31 1374k    0     0   409k      0  0:00:10  0:00:03  0:00:07  409k* schannel: failed to decrypt data, need more data
{ [81920 bytes data]
* schannel: failed to decrypt data, need more data

[jamesivie]

Further information: It looks like schannel errors happen on other sites as well. I also noticed this response header when run in Command Prompt that isn't there under WSL: X-Cache-Info: L1_T2 Maybe it's an issue with a CDN node near me?

[jamesivie]

Did you guys do something? It looks like, after three days of failures, it seems to be working now.

[erdembayar]

Based on customer feedback we're closing this issue, if problem returns please reopen or file new one. I'm not aware of any changes around this.