TLS Handshake Issue in WSL2 but not in Host

cody-scott commented 1 year ago

[x] I have tried with the latest version of Docker Desktop
[x] I have tried disabling enabled experimental features
[ ] I have uploaded Diagnostics
Diagnostics ID:

Actual behavior

running docker pull hello-world results in Error response from daemon: Get "https://registry-1.docker.io/v2/": net/http: TLS handshake timeout from the client within WSL2. Following this, some websites become unreachable from my windows host.

docker pull hello-world performs as expected from powershell in windows. Image pulls successfully.

curl -iv https://registry-1.docker.io/v2/ from WSL2 container to docker results in successful connections and response.

*   Trying 44.205.64.79:443...
* Connected to registry-1.docker.io (44.205.64.79) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Oct 31 00:00:00 2022 GMT
*  expire date: Nov 30 23:59:59 2023 GMT
*  subjectAltName: host "registry-1.docker.io" matched cert's "*.docker.io"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /v2/ HTTP/1.1
> Host: registry-1.docker.io
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
< content-type: application/json
content-type: application/json
< docker-distribution-api-version: registry/2.0
docker-distribution-api-version: registry/2.0
< www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
< date: Mon, 23 Jan 2023 21:30:13 GMT
date: Mon, 23 Jan 2023 21:30:13 GMT
< content-length: 87
content-length: 87
< strict-transport-security: max-age=31536000
strict-transport-security: max-age=31536000

<
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
* Connection #0 to host registry-1.docker.io left intact

I have a suspicion it is related to VPNKit or something with how its delivering the request back to the host machine from docker. My initial guess was MTU related, but setting all MTU values to be a smaller number (1200) still results in the same error behaviour. Success in windows, fail in WSL2, broken network.

My other guess was it something related to TLS1.2 vs 1.3. From windows docker is negotiating 1.2, but its unclear what WSL2 is trying to do (1.3 or 1.2). Enabling 1.3 in internet settings results in no change.

Wireshark shows Incomplete. ESTABLISHED (7). so it looks like its at least getting started, but then fails.

Time is also in sync between the host/vm.

Expected behavior

successful pull of the image from docker to WSL2 machine

Information

Windows Version: 2H22
Docker Desktop Version: 4.16.3
WSL2 or Hyper-V backend? WSL2
Are you running inside a virtualized Windows e.g. on a cloud server or a VM: No

Output of `& "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" check`

Starting diagnostics

[PASS] DD0027: is there available disk space on the host?
[PASS] DD0028: is there available VM disk space?
[PASS] DD0002: does the bootloader have virtualization enabled?
[SKIP] DD0018: does the host support virtualization?
[PASS] DD0001: is the application running?
[PASS] DD0022: is the Virtual Machine Platform Windows Feature enabled?
[PASS] DD0021: is the WSL 2 Windows Feature enabled?
[PASS] DD0024: is WSL installed?
[PASS] DD0025: are WSL distros installed?
[PASS] DD0026: is the WSL LxssManager service running?
[PASS] DD0029: is the WSL 2 Linux filesystem corrupt?
[PASS] DD0035: is the VM time synchronized?
[PASS] DD0017: can a VM be started?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0031: does the Docker API work?
[PASS] DD0013: is the $PATH ok?
[PASS] DD0003: is the Docker CLI working?
[PASS] DD0005: is the user in the docker-users group?
[PASS] DD0038: is the connection to Docker working?
[PASS] DD0014: are the backend processes running?
[PASS] DD0007: is the backend responding?
[PASS] DD0008: is the native API responding?
[PASS] DD0009: is the vpnkit API responding?
[PASS] DD0010: is the Docker API proxy responding?
[PASS] DD0006: is the Docker Desktop Service responding?
[SKIP] DD0030: is the image access management authorized?
[PASS] DD0033: does the host have Internet access?
[PASS] DD0002: does the bootloader have virtualization enabled?
[PASS] DD0018: does the host support virtualization?
[PASS] DD0001: is the application running?
[PASS] DD0022: is the Virtual Machine Platform Windows Feature enabled?
[PASS] DD0021: is the WSL 2 Windows Feature enabled?
[PASS] DD0024: is WSL installed?
[PASS] DD0025: are WSL distros installed?
[PASS] DD0026: is the WSL LxssManager service running?
[PASS] DD0029: is the WSL 2 Linux filesystem corrupt?
[PASS] DD0035: is the VM time synchronized?
[PASS] DD0017: can a VM be started?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0031: does the Docker API work?
[PASS] DD0032: do Docker networks overlap with host IPs?
No fatal errors detected.

OlegHudyma commented 1 year ago

@namur007 Were you able to resolve this issue?

cody-scott commented 1 year ago

I actually did. My situation turned out to be related to the windows service OpenSSH Authentication Agent. For some reason it was in manual mode. Once i swapped it to automatic (and rebooted) it has worked fine ever since.

docker-robot[bot] commented 1 year ago

Closed issues are locked after 30 days of inactivity. This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

/lifecycle locked

docker / for-win