Some packages are taking a very long time to download

[astrojuanlu]

My Platform

I noticed while doing pip install tox on a Python 3.4 box that some dependencies were taking a very long time to download (sometimes 2 minutes), longer than the default timeout time and therefore requiring manual environment configuration. It is not a pip problem though:

First attempt

From 18:31:37 to 18:33:29, data download in 0.6 seconds.

juanlu@centauri /tmp $ wget "https://files.pythonhosted.org/packages/6a/d1/e0d142ce7b8a5c76adbfad01d853bca84c7c0240e35577498e20bc2ade7d/virtualenv-16.2.0-py2.py3-none-any.whl"
--2019-01-16 18:31:37--  https://files.pythonhosted.org/packages/6a/d1/e0d142ce7b8a5c76adbfad01d853bca84c7c0240e35577498e20bc2ade7d/virtualenv-16.2.0-py2.py3-none-any.whl
Resolving files.pythonhosted.org (files.pythonhosted.org)... 151.101.133.63, 2a04:4e42:1f::319
Connecting to files.pythonhosted.org (files.pythonhosted.org)|151.101.133.63|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1921889 (1,8M) [binary/octet-stream]
Saving to: ‘virtualenv-16.2.0-py2.py3-none-any.whl’

virtualenv-16.2.0-p 100%[===================>]   1,83M  3,09MB/s    in 0,6s    

2019-01-16 18:33:29 (3,09 MB/s) - ‘virtualenv-16.2.0-py2.py3-none-any.whl’ saved [1921889/1921889]

Second attempt

From 18:34:30 to 18:36:22, data download in 0.5 s.

juanlu@centauri /tmp $ wget "https://files.pythonhosted.org/packages/6a/d1/e0d142ce7b8a5c76adbfad01d853bca84c7c0240e35577498e20bc2ade7d/virtualenv-16.2.0-py2.py3-none-any.whl"
--2019-01-16 18:34:30--  https://files.pythonhosted.org/packages/6a/d1/e0d142ce7b8a5c76adbfad01d853bca84c7c0240e35577498e20bc2ade7d/virtualenv-16.2.0-py2.py3-none-any.whl
Resolving files.pythonhosted.org (files.pythonhosted.org)... 151.101.133.63, 2a04:4e42:1f::319
Connecting to files.pythonhosted.org (files.pythonhosted.org)|151.101.133.63|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1921889 (1,8M) [binary/octet-stream]
Saving to: ‘virtualenv-16.2.0-py2.py3-none-any.whl.1’

virtualenv-16.2.0-py2.py3-none-any.whl.1                    100%[=========================================================================================================================================>]   1,83M  3,33MB/s    in 0,5s    

2019-01-16 18:36:22 (3,33 MB/s) - ‘virtualenv-16.2.0-py2.py3-none-any.whl.1’ saved [1921889/1921889]

Other packages

Total download time less than 1 second.

juanlu@centauri /tmp $ wget "https://files.pythonhosted.org/packages/2d/60/f58d9e8197f911f9405bf7e02227b43a2acc2c2f1a8cbb1be5ecf6bfd0b8/pluggy-0.8.1-py2.py3-none-any.whl"
--2019-01-16 18:40:40--  https://files.pythonhosted.org/packages/2d/60/f58d9e8197f911f9405bf7e02227b43a2acc2c2f1a8cbb1be5ecf6bfd0b8/pluggy-0.8.1-py2.py3-none-any.whl
Resolving files.pythonhosted.org (files.pythonhosted.org)... 151.101.133.63, 2a04:4e42:1f::319
Connecting to files.pythonhosted.org (files.pythonhosted.org)|151.101.133.63|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17274 (17K) [binary/octet-stream]
Saving to: ‘pluggy-0.8.1-py2.py3-none-any.whl’

pluggy-0.8.1-py2.py3-none-any.whl                           100%[=========================================================================================================================================>]  16,87K  --.-KB/s    in 0,008s  

2019-01-16 18:40:40 (2,02 MB/s) - ‘pluggy-0.8.1-py2.py3-none-any.whl’ saved [17274/17274]

juanlu@centauri /tmp $ wget "https://files.pythonhosted.org/packages/2d/60/f58d9e8197f911f9405bf7e02227b43a2acc2c2f1a8cbb1be5ecf6bfd0b8/pluggy-0.8.1-py2.py3-none-any.whl"
--2019-01-16 18:40:42--  https://files.pythonhosted.org/packages/2d/60/f58d9e8197f911f9405bf7e02227b43a2acc2c2f1a8cbb1be5ecf6bfd0b8/pluggy-0.8.1-py2.py3-none-any.whl
Resolving files.pythonhosted.org (files.pythonhosted.org)... 151.101.133.63, 2a04:4e42:1f::319
Connecting to files.pythonhosted.org (files.pythonhosted.org)|151.101.133.63|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17274 (17K) [binary/octet-stream]
Saving to: ‘pluggy-0.8.1-py2.py3-none-any.whl.1’

pluggy-0.8.1-py2.py3-none-any.whl.1                         100%[=========================================================================================================================================>]  16,87K  --.-KB/s    in 0,009s  

2019-01-16 18:40:42 (1,88 MB/s) - ‘pluggy-0.8.1-py2.py3-none-any.whl.1’ saved [17274/17274]

Network telemetry

DNS Resolution

dig pypi.org A
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> pypi.org A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23107
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;pypi.org.          IN  A

;; ANSWER SECTION:
pypi.org.       48  IN  A   151.101.0.223
pypi.org.       48  IN  A   151.101.192.223
pypi.org.       48  IN  A   151.101.64.223
pypi.org.       48  IN  A   151.101.128.223

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Jan 16 18:43:12 CET 2019
;; MSG SIZE  rcvd: 101

dig pypi.org AAAA

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> pypi.org AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1683
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;pypi.org.          IN  AAAA

;; ANSWER SECTION:
pypi.org.       35  IN  AAAA    2a04:4e42:400::223
pypi.org.       35  IN  AAAA    2a04:4e42::223
pypi.org.       35  IN  AAAA    2a04:4e42:200::223
pypi.org.       35  IN  AAAA    2a04:4e42:600::223

;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Jan 16 18:43:25 CET 2019
;; MSG SIZE  rcvd: 149

dig files.pythonhosted.org A
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> files.pythonhosted.org A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36004
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;files.pythonhosted.org.        IN  A

;; ANSWER SECTION:
files.pythonhosted.org. 10  IN  CNAME   dualstack.r.ssl.global.fastly.net.
dualstack.r.ssl.global.fastly.net. 9 IN A   151.101.133.63

;; Query time: 9 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Jan 16 18:43:36 CET 2019
;; MSG SIZE  rcvd: 114

dig files.pythonhosted.org AAAA
; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> files.pythonhosted.org AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50211
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;files.pythonhosted.org.        IN  AAAA

;; ANSWER SECTION:
files.pythonhosted.org. 60  IN  CNAME   dualstack.r.ssl.global.fastly.net.
dualstack.r.ssl.global.fastly.net. 29 IN AAAA   2a04:4e42:1f::319

;; Query time: 28 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Jan 16 18:44:01 CET 2019
;; MSG SIZE  rcvd: 126

Traceroutes

IPv4

traceroute pypi.org
traceroute to pypi.org (151.101.64.223), 64 hops max
  1   192.168.100.1  1,046ms  0,890ms  0,801ms 
  2   *  *  * 
  3   192.168.210.40  2,010ms  1,834ms  1,745ms 
  4   192.168.205.37  11,530ms  11,436ms  11,212ms 
  5   62.115.148.234  11,841ms  13,061ms  12,548ms 
  6   *  *  * 
  7   *  *  * 
  8   *  *  * 
  9   *  *  * 
 10   *  *  * 
 11   *  *  * 
 12   *  *  * 
 13   *  *  * 
 14   *  *  * 
 15   *  *  * 
 16   *  *  * 
 17   *  *  * 
 18   *  *  * 
 19   *  *  * 
 20   *  *  * 
 21   *  *  * 
 22   *  *  * 
 23   *  *  * 
 24   *  *  * 
 25   *  *  * 
 26   *  *  * 
 27   *  *  * 
 28   *  *  * 
 29   *  *  * 
 30   *  *  * 
 31   *  *  * 
 32   *  *  * 
 33   *  *  * 
 34   *  *  * 
 35   *  *  * 
 36   *  *  * 
 37   *  *  * 
 38   *  *  * 
 39   *  *  * 
 40   *  *  * 
 41   *  *  * 
 42   *  *  * 
 43   *  *  * 
 44   *  *  * 
 45   *  *  * 
 46   *  *  * 
 47   *  *  * 
 48   *  *  * 
 49   *  *  * 
 50   *  *  * 
 51   *  *  * 
 52   *  *  * 
 53   *  *  * 
 54   *  *  * 
 55   *  *  * 
 56   *  *  * 
 57   *  *  * 
 58   *  *  * 
 59   *  *  * 
 60   *  *  * 
 61   *  *  * 
 62   *  *  * 
 63   *  *  * 
 64   *  *  *

traceroute files.pythonhosted.org
traceroute to dualstack.r.ssl.global.fastly.net (151.101.133.63), 64 hops max
  1   192.168.100.1  1,569ms  0,923ms  0,720ms 
  2   *  *  * 
  3   192.168.210.40  14,390ms  1,776ms  2,201ms 
  4   192.168.205.37  11,535ms  11,196ms  11,539ms 
  5   62.115.148.234  11,712ms  11,675ms  11,336ms 
  6   *  *  * 
  7   *  *  * 
  8   *  *  * 
  9   *  *  * 
 10   *  *  * 
 11   *  *  * 
 12   *  *  * 
 13   *  *  * 
 14   *  *  * 
 15   *  *  * 
 16   *  *  * 
 17   *  *  * 
 18   *  *  * 
 19   *  *  * 
 20   *  *  * 
 21   *  *  * 
 22   *  *  * 
 23   *  *  * 
 24   *  *  * 
 25   *  *  * 
 26   *  *  * 
 27   *  *  * 
 28   *  *  * 
 29   *  *  * 
 30   *  *  * 
 31   *  *  * 
 32   *  *  * 
 33   *  *  * 
 34   *  *  * 
 35   *  *  * 
 36   *  *  * 
 37   *  *  * 
 38   *  *  * 
 39   *  *  * 
 40   *  *  * 
 41   *  *  * 
 42   *  *  * 
 43   *  *  * 
 44   *  *  * 
 45   *  *  * 
 46   *  *  * 
 47   *  *  * 
 48   *  *  * 
 49   *  *  * 
 50   *  *  * 
 51   *  *  * 
 52   *  *  * 
 53   *  *  * 
 54   *  *  * 
 55   *  *  * 
 56   *  *  * 
 57   *  *  * 
 58   *  *  * 
 59   *  *  * 
 60   *  *  * 
 61   *  *  * 
 62   *  *  * 
 63   *  *  * 
 64   *  *  * 

HTTPS Requests

IPv4

curl -vvv -I --ipv4 https://pypi.org/pypi/pip/json
*   Trying 151.101.192.223...
* TCP_NODELAY set
* Connected to pypi.org (151.101.192.223) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=3359300; C=US; ST=New Hampshire; L=Wolfeboro; O=Python Software Foundation; CN=www.python.org
*  start date: Sep 18 00:00:00 2018 GMT
*  expire date: Oct 14 12:00:00 2020 GMT
*  subjectAltName: host "pypi.org" matched cert's "pypi.org"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55b853922900)
> HEAD /pypi/pip/json HTTP/2
> Host: pypi.org
> User-Agent: curl/7.58.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200 
HTTP/2 200 
< access-control-allow-headers: Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since
access-control-allow-headers: Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since
< access-control-allow-methods: GET
access-control-allow-methods: GET
< access-control-allow-origin: *
access-control-allow-origin: *
< access-control-expose-headers: X-PyPI-Last-Serial
access-control-expose-headers: X-PyPI-Last-Serial
< access-control-max-age: 86400
access-control-max-age: 86400
< cache-control: max-age=900, public
cache-control: max-age=900, public
< content-security-policy: base-uri 'self'; block-all-mixed-content; connect-src 'self' https://api.github.com/repos/ *.fastly-insights.com sentry.io https://2p66nmmycsj3.statuspage.io; default-src 'none'; font-src 'self' fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' https://warehouse-camo.cmh1.psfhosted.org/ www.google-analytics.com *.fastly-insights.com; script-src 'self' www.googletagmanager.com www.google-analytics.com *.fastly-insights.com https://cdn.ravenjs.com; style-src 'self' fonts.googleapis.com; worker-src *.fastly-insights.com
content-security-policy: base-uri 'self'; block-all-mixed-content; connect-src 'self' https://api.github.com/repos/ *.fastly-insights.com sentry.io https://2p66nmmycsj3.statuspage.io; default-src 'none'; font-src 'self' fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' https://warehouse-camo.cmh1.psfhosted.org/ www.google-analytics.com *.fastly-insights.com; script-src 'self' www.googletagmanager.com www.google-analytics.com *.fastly-insights.com https://cdn.ravenjs.com; style-src 'self' fonts.googleapis.com; worker-src *.fastly-insights.com
< content-type: application/json
content-type: application/json
< etag: "u42D+43aoL0wFub+U+AgkA"
etag: "u42D+43aoL0wFub+U+AgkA"
< referrer-policy: origin-when-cross-origin
referrer-policy: origin-when-cross-origin
< server: nginx/1.13.9
server: nginx/1.13.9
< x-pypi-last-serial: 4343751
x-pypi-last-serial: 4343751
< accept-ranges: bytes
accept-ranges: bytes
< date: Wed, 16 Jan 2019 18:03:58 GMT
date: Wed, 16 Jan 2019 18:03:58 GMT
< x-served-by: cache-iad2141-IAD, cache-mad9428-MAD
x-served-by: cache-iad2141-IAD, cache-mad9428-MAD
< x-cache: HIT, HIT
x-cache: HIT, HIT
< x-cache-hits: 2, 1
x-cache-hits: 2, 1
< x-timer: S1547661838.456125,VS0,VE1
x-timer: S1547661838.456125,VS0,VE1
< vary: Accept-Encoding, Accept-Encoding
vary: Accept-Encoding, Accept-Encoding
< strict-transport-security: max-age=31536000; includeSubDomains; preload
strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: deny
x-frame-options: deny
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-permitted-cross-domain-policies: none
x-permitted-cross-domain-policies: none
< content-length: 63455
content-length: 63455

< 
* Connection #0 to host pypi.org left intact

curl -vvv -I --ipv4 https://files.pythonhosted.org/packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz
*   Trying 151.101.133.63...
* TCP_NODELAY set
* Connected to files.pythonhosted.org (151.101.133.63) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc; CN=r.ssl.fastly.net
*  start date: Sep  4 19:42:10 2018 GMT
*  expire date: Apr 14 16:28:35 2019 GMT
*  subjectAltName: host "files.pythonhosted.org" matched cert's "*.pythonhosted.org"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign CloudSSL CA - SHA256 - G3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55bed9f2d900)
> HEAD /packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz HTTP/2
> Host: files.pythonhosted.org
> User-Agent: curl/7.58.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!

[VERY, VERY LONG DELAY]

< HTTP/2 200 
HTTP/2 200 
< x-amz-id-2: XXlGapVYH0EY9hpQNxMBytamjed3kCJu1cTXzeYPr9FUtEI25LRhh76ZxkpUcyScozSLLkoSDTc=
x-amz-id-2: XXlGapVYH0EY9hpQNxMBytamjed3kCJu1cTXzeYPr9FUtEI25LRhh76ZxkpUcyScozSLLkoSDTc=
< x-amz-request-id: A8C2C810FECEB76D
x-amz-request-id: A8C2C810FECEB76D
< last-modified: Thu, 19 Apr 2018 18:56:10 GMT
last-modified: Thu, 19 Apr 2018 18:56:10 GMT
< etag: "83a177756e2c801d0b3a6f7b0d4f3f7e"
etag: "83a177756e2c801d0b3a6f7b0d4f3f7e"
< x-amz-version-id: 1N.JvpbFmUQle7Hn0tnUuxQqUTsn5iEu
x-amz-version-id: 1N.JvpbFmUQle7Hn0tnUuxQqUTsn5iEu
< content-type: binary/octet-stream
content-type: binary/octet-stream
< server: AmazonS3
server: AmazonS3
< cache-control: max-age=365000000, immutable, public
cache-control: max-age=365000000, immutable, public
< accept-ranges: bytes
accept-ranges: bytes
< date: Wed, 16 Jan 2019 18:04:13 GMT
date: Wed, 16 Jan 2019 18:04:13 GMT
< age: 1701213
age: 1701213
< x-served-by: cache-sea1039-SEA, cache-mad9446-MAD
x-served-by: cache-sea1039-SEA, cache-mad9446-MAD
< x-cache: HIT, HIT
x-cache: HIT, HIT
< x-cache-hits: 1, 1
x-cache-hits: 1, 1
< x-timer: S1547661853.039662,VS0,VE9
x-timer: S1547661853.039662,VS0,VE9
< strict-transport-security: max-age=31536000; includeSubDomains; preload
strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: deny
x-frame-options: deny
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-permitted-cross-domain-policies: none
x-permitted-cross-domain-policies: none
< x-robots-header: noindex
x-robots-header: noindex
< content-length: 1246072
content-length: 1246072

< 
* Connection #0 to host files.pythonhosted.org left intact

TLS Debug

IPv4

echo -n | openssl s_client -4 -connect pypi.org:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Delaware, serialNumber = 3359300, C = US, ST = New Hampshire, L = Wolfeboro, O = Python Software Foundation, CN = www.python.org
verify return:1
---
Certificate chain
 0 s:/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=3359300/C=US/ST=New Hampshire/L=Wolfeboro/O=Python Software Foundation/CN=www.python.org
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIczCCB1ugAwIBAgIQDl7PGBeDAG2brEU2EfVJEjANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDkxODAwMDAwMFoXDTIwMTAxNDEy
MDAwMFowgdgxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
EwczMzU5MzAwMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTmV3IEhhbXBzaGlyZTES
MBAGA1UEBxMJV29sZmVib3JvMSMwIQYDVQQKExpQeXRob24gU29mdHdhcmUgRm91
bmRhdGlvbjEXMBUGA1UEAxMOd3d3LnB5dGhvbi5vcmcwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQD2roGTDc+m3g3mReIf7j5rzLovnk3Zggvy2kWWMnDB
Yz2m6sgxOL1pkzIu7YNe4noH7ZRym0OIQjZbDIleB7SOGAoD2BBv+Mv79HtedJ3d
vhXwmgRenlNxBxhDcaVLDONVC9Ir3Ft46uuGIrXnKB8L1KZV6h8IFC2G3GZXJtkw
EojXdmJFzuRrKMRi0cLPlF60upRISIj3jg9kK4D+f0xYrsQAJvK0veqRsNQ8bXPE
YR8kG4Paj7rOeh3FVGxrKOKNpoI+kV6EqOVIhJY698P7EbDLGjG2Im9P6VFmwXod
YAZ2CTFaMlrC0FljAO/FKeQKR29vitthLMutcd+AkoDDAgMBAAGjggSZMIIElTAf
BgNVHSMEGDAWgBQ901Cl1qCt7vNKYApl0yHU+PjWDzAdBgNVHQ4EFgQUUTsyHAXZ
y6d2HWn+8MZNUhBCkEwwggFCBgNVHREEggE5MIIBNYIOd3d3LnB5dGhvbi5vcmeC
D2RvY3MucHl0aG9uLm9yZ4IPYnVncy5weXRob24ub3Jngg93aWtpLnB5dGhvbi5v
cmeCDWhnLnB5dGhvbi5vcmeCD21haWwucHl0aG9uLm9yZ4IPcHlwaS5weXRob24u
b3JnghRwYWNrYWdpbmcucHl0aG9uLm9yZ4IQbG9naW4ucHl0aG9uLm9yZ4ISZGlz
Y3Vzcy5weXRob24ub3Jnggx1cy5weWNvbi5vcmeCB3B5cGkuaW+CDGRvY3MucHlw
aS5pb4IIcHlwaS5vcmeCDWRvY3MucHlwaS5vcmeCD2RvbmF0ZS5weXBpLm9yZ4IT
ZGV2Z3VpZGUucHl0aG9uLm9yZ4ITd3d3LmJ1Z3MucHl0aG9uLm9yZ4IKcHl0aG9u
Lm9yZzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMHUGA1UdHwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9z
aGEyLWV2LXNlcnZlci1nMi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
LmNvbS9zaGEyLWV2LXNlcnZlci1nMi5jcmwwSwYDVR0gBEQwQjA3BglghkgBhv1s
AgEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAH
BgVngQwBATCBiAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz
cC5kaWdpY2VydC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2lj
ZXJ0LmNvbS9EaWdpQ2VydFNIQTJFeHRlbmRlZFZhbGlkYXRpb25TZXJ2ZXJDQS5j
cnQwDAYDVR0TAQH/BAIwADCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHcA7ku9
t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFl7l3MWwAABAMASDBGAiEA
qfAJSfOHG4r8YvzTkZsr8cEXFcnFIns40+JXVdgY0vsCIQCvnB+YExtMRQVQXONc
glOTsIYmNgYPrtyHYsTj/Xua5QB3AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+U
mFXWidDdAAABZe5dzHoAAAQDAEgwRgIhAIF6xXakKVdREciK8aM2z1c71eiU8qF/
UCZbl4sEfLTQAiEA870pR9Hazod3FgZszr9itk8sYPLoQjV9/WENl0HXXGwAdQC7
2d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAWXuXcwzAAAEAwBGMEQC
IAeIvcaqPATJrCo3+ceBlVbsyPJcDPM7QGLpaRPFBduQAiBHNfcsBLaelS9bUmfU
R0VjJLoTA39AJAj8oU6iAzruHDANBgkqhkiG9w0BAQsFAAOCAQEAwH5+PXougfo5
qMVIE65Dei/CEb4ahZfoMvvlJRvuNAI/ARWYQSHh6IKXdxFxIE5hCC/NNtdAcc1p
CoZ2+IM/x0cGBjHZegSjhXfQy+w7twfgyeTSNalV2jzKQ0Yv/JvfI9qiMdhEQbfL
qaQ6Nj/js8uvQqWf6w8yo7hAzKs1jTF7Wy/cM0lvqNocDWYROhAVcI+jSMKwlcLv
75xAbOZqw2D483mkQizVj7wQ1fYP3Tr0wfvFNeoIAPUXLrEHiEmHWA0h+U9KEgVf
VQ3PvzItecKWFI+0d9RpNupc1HdipBCySvnNa1LcG2AviYXpIsbo8EBvbj0HcEVx
7NEANHNX2g==
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=3359300/C=US/ST=New Hampshire/L=Wolfeboro/O=Python Software Foundation/CN=www.python.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4005 bytes and written 269 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: DFD7FA8B2879732D09D406E277BC708C99BF227870A26C38C43CCF1EEF893AF2
    Session-ID-ctx: 
    Master-Key: A0C75636503E825F2C00266EA4E601DCBC532C449D88B868567213004776C9239EFC6A1B3F4F1BD912E7CD5EB3E1BB7E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - b7 c2 01 0a e5 9a 2c 10-ff 47 ac db f0 0b b5 a3   ......,..G......
    0010 - fe 79 fc 12 4b d5 f3 8c-fb e1 d1 51 b1 64 2f d6   .y..K......Q.d/.
    0020 - 7d 5f 15 5d 14 8c 79 dd-b4 57 41 9a 2c d3 d0 28   }_.]..y..WA.,..(
    0030 - 7a 70 6d 94 6f 96 27 42-a6 f3 2e c9 10 47 ca 51   zpm.o.'B.....G.Q
    0040 - 63 f2 03 bf 6d b7 68 44-77 c4 ac 89 ec b3 2a 45   c...m.hDw.....*E
    0050 - b6 5d 94 43 d1 45 27 05-e9 9c ca 70 d0 a2 95 e3   .].C.E'....p....
    0060 - 5b ed 13 43 19 ad 95 45-16 3e fc 12 88 26 12 a7   [..C...E.>...&..
    0070 - 4b 93 66 ab fc 9e 82 9d-bf 5c 68 7e 68 21 c7 50   K.f......\h~h!.P
    0080 - 3e 0c cd 58 44 4a 29 99-57 24 42 a6 76 ef 31 19   >..XDJ).W$B.v.1.
    0090 - b7 4d 0e 0d a7 7c 6f bd-6e 55 75 83 ce 09 07 5d   .M...|o.nUu....]

    Start Time: 1547662060
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

echo -n | openssl s_client -4 -connect files.pythonhosted.org:443
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Fastly, Inc", CN = r.ssl.fastly.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc/CN=r.ssl.fastly.net
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIL3jCCCsagAwIBAgIMU80cnxtlzv++BZDUMA0GCSqGSIb3DQEBCwUAMFcxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS0wKwYDVQQDEyRH
bG9iYWxTaWduIENsb3VkU1NMIENBIC0gU0hBMjU2IC0gRzMwHhcNMTgwOTA0MTk0
MjEwWhcNMTkwNDE0MTYyODM1WjBrMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2Fs
aWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEUMBIGA1UECgwLRmFzdGx5
LCBJbmMxGTAXBgNVBAMMEHIuc3NsLmZhc3RseS5uZXQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDTciJwVUeYpeFv0YzWACjrrAg7Qy2yWqLNrGXTJu0m
0bWfeB9kA3gY3gny66LF6W/hYVXtf+oCneDWIpm7eO8DogP+k9H2uwOkCnEXOGog
Jj1QfWnlqYQSpK0HRZ8idm6EglJANXBqK/G+Nbnqb0P68MsdaTKLo1zHyRcEncbZ
OnWAgYkZ1s5CyNQmNhn741JrkXuEcLjuRi5oFP252w8qhcxLAzI9T7pfym9ERcvM
kwZUXUIv9z0qrU3HikASfL6TC2O1qfHwVd4RvR74WOdDHkS02AQWx3NpVbfBLI53
GM/f59vocj3z6cV5TmUcbgrvYt2Lm215mjIOefyzxqlxAgMBAAGjggiUMIIIkDAO
BgNVHQ8BAf8EBAMCBaAwgYoGCCsGAQUFBwEBBH4wfDBCBggrBgEFBQcwAoY2aHR0
cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvY2xvdWRzc2xzaGEyZzMu
Y3J0MDYGCCsGAQUFBzABhipodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vY2xv
dWRzc2xzaGEyZzMwVgYDVR0gBE8wTTBBBgkrBgEEAaAyARQwNDAyBggrBgEFBQcC
ARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EM
AQICMAkGA1UdEwQCMAAwggYkBgNVHREEggYbMIIGF4IQci5zc2wuZmFzdGx5Lm5l
dIINKi5hZGR0aGlzLmNvbYIRKi5hZGR0aGlzZWRnZS5jb22CDCouYWR3ZXJ4LmNv
bYISKi5hbGl0dGxlY3JhZnQuY29tghEqLmFsaXR0bGVjcmFmdC5pdIITKi5hbGl0
dGxlbWFya2V0LmNvbYISKi5hbGl0dGxlbWFya2V0Lml0ghUqLmFsaXR0bGVtZXJj
ZXJpZS5jb22CDyouYmlnaGF0YWRzLmNvbYIOKi5idXp6ZmVlZC5jb22CECouY2F0
Y2hwb2ludC5jb22CCCouY25uLmlvghAqLmNvcmVkbmFjZG4uY29tghUqLmRvbGxh
cnNoYXZlY2x1Yi5jb22CDCouZG9tZmVlLmNvbYILKi5lYXRlci5jb22CECouZmFz
dGx5bGFicy5jb22CHCouZmlsZXMuc2F5bWVkaWEtY29udGVudC5jb22CDCouZmlu
bmNkbi5ub4IIKi5mdC5jb22CDyouZ2VvbmV0Lm9yZy5ueoIUKi5oaXBtdW5rc3Rh
Z2luZy5jb22CECouaG91c2Vsb2dpYy5jb22CCyouaXNzdXUuY29tggkqLmlzdS5w
dWKCESouamFja3RocmVhZHMuY29tgg0qLmxvc3RteS5uYW1lghIqLm1lZXR1cHN0
YXRpYy5jb22CDSoubmV0endlbHQuZGWCCSoubmZsLmNvbYIKKi5wYWdhci5tZYIP
Ki5waWNtb25rZXkuY29tggkqLnB5cGkuaW+CCioucHlwaS5vcmeCEioucHl0aG9u
aG9zdGVkLm9yZ4IPKi5yMjlzdGF0aWMuY29tgg4qLnJlYWxzZWxmLmNvbYIJKi5y
dGJmLmJlgg4qLnNibmF0aW9uLmNvbYILKi5zaGFrci5jb22CEiouc2hpZnRwcmV2
aWV3LmNvbYIQKi5zdGF0aWMucnRiZi5iZYIQKi5zdHJlYW1hYmxlLmNvbYIMKi5z
dXJmbHkuY29tgg4qLnRoZXZlcmdlLmNvbYIPKi50aHJpbGxpc3QuY29tggwqLnRp
c3N1dS5jb22CDSoudm94LWNkbi5jb22CCSoudm94LmNvbYIOKi52b3htZWRpYS5j
b22CCCoudy14LmNvghEqLndhdGNoLmFldG5kLmNvbYIMKi53ZXdvcmsuY29tggph
ZHdlcnguY29tghBhbGl0dGxlY3JhZnQuY29tgg9hbGl0dGxlY3JhZnQuaXSCEWFs
aXR0bGVtYXJrZXQuY29tghBhbGl0dGxlbWFya2V0Lml0ghNhbGl0dGxlbWVyY2Vy
aWUuY29tghZhbHBoYS5lbnRyZXByZW5ldXIuY29tghVhcGkuc2hpZnRjb21tZXJj
ZS5jb22CGmFzc2V0cy1zdGFnaW5nLnRoZW11c2UuY29tggxidXp6ZmVlZC5jb22C
FmRldi5hcGkuY2VyZWJyby5jbm4uaW+CFGRldi5oaXN0b3J5dmF1bHQuY29tghlk
ZXYubGlmZXRpbWVtb3ZpZWNsdWIuY29tggllYXRlci5jb22CEGVudHJlcHJlbmV1
ci5jb22CFGZhc3RseS5zaGlla2hkZXYuY29tggZmdC5jb22CFWgyLmhpcG11bmtz
dGFnaW5nLmNvbYIIaS5nc2UuaW+CC2xvc3RteS5uYW1lghhwcmV2aWV3LmVudHJl
cHJlbmV1ci5jb22CEHB5dGhvbmhvc3RlZC5vcmeCEXFhLnNhZmFyaWZsb3cuY29t
ggxyZWFsc2VsZi5jb22CB3J0YmYuYmWCD3NzbC5uZXR6d2VsdC5kZYIVc3RhdGlj
LnJlZmluZXJ5MjkuY29tghRzdGF0aWMud2l4c3RhdGljLmNvbYIOc3RyZWFtYWJs
ZS5jb22CCnN1cmZseS5jb22CDHRoZXZlcmdlLmNvbYILdm94LWNkbi5jb22CB3Zv
eC5jb22CEHd3dy5kZXhpZ25lci5jb22CFHd3dy5lbnRyZXByZW5ldXIuY29tgg53
d3cuam95ZW50LmNvbYIVd3d3LnFhLnNhZmFyaWZsb3cuY29tghB3d3cuc3RhY2tw
b3AuY29tMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU
8WPkxcyYMOyDfYryy2qnZTH95r8wHwYDVR0jBBgwFoAUqSuH4c4kRzsbv8+FNwJV
nQ2UWOYwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwC72d+8H4pxtZOUI5eqkntH
OFeVCqtS6BqQlmQ2jh7RhQAAAWWmG1BLAAAEAwBIMEYCIQDYsK9L+/NIftYurcIP
63CEJPQi0FzGbEeiw0bFGcp13gIhAL9Ffe3MLilPNtQIByKk1qlvpAn4tmvJvmtQ
1aBfTaweAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFlphtM
UwAABAMARzBFAiEApZw1GW/9wrp6nyZJcYYnozPSoSmqzx6fEbRT6AV3u+ICIG+p
0WA9zu3C1RAHIXPzlYsxGX6iN2hMfVAvrJWvpv3ZMA0GCSqGSIb3DQEBCwUAA4IB
AQBZ1PYcq73IWZHsgeJhlfFQ6LJazsFqr3YCts2mu6EANka4y3K6tHJMz1vOkXmq
/7oOS4esMqK0g2ETsEGUjQlsjwhsoXNoj4rWFrIx0LT3xR1smU10xjdHAfcL3AaU
MQ62ODYP5JfECD8Y8cYqdZ31WmBlky+hnlgPDONYs/FUD+ylfmlYvvReHfmNEAR/
QwZU7nrId7PxXCUFpWuhnEyJNba7vPvViXEIrVw1sAo3Doe4VKi8BQhZ+yoorPaA
RmYDKHs9uyz5c1Myh9XHCKr2VLVVAJT71tD7vSv4QqsBkORxR1GsC3uMCMQNZ4GO
NlGlv74knHhweyvLnWTRijjG
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=Fastly, Inc/CN=r.ssl.fastly.net
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4837 bytes and written 269 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: E6F819145778F0ED2AB3CD17D6842DA2EA74F2D6EC272EB6FC3D5472F2422C4D
    Session-ID-ctx: 
    Master-Key: BEEC3F087099A640F1D16DEA99581C3E1852AB260D75CB452B0BA3BEE0FE254A6076CB91E49115ED3FC600D20EC00EF7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - b7 c2 01 0a e5 9a 2c 10-ff 47 ac db f0 0b b5 a3   ......,..G......
    0010 - 6a 43 13 03 65 55 7d 37-63 df 76 6a b5 9e 76 b2   jC..eU}7c.vj..v.
    0020 - 54 f8 dd 3e 51 a6 f0 21-2c 7e 47 48 33 ff 51 0d   T..>Q..!,~GH3.Q.
    0030 - 30 de e3 ce af 64 d5 51-2d 0b bf 33 7f d0 a6 81   0....d.Q-..3....
    0040 - c0 16 a8 3e 7d 9b 0b cb-5a d6 9a c2 69 83 39 3f   ...>}...Z...i.9?
    0050 - ab a2 13 8d bc c8 7b cc-88 95 ef 79 ef bd 96 c6   ......{....y....
    0060 - a6 83 c0 f9 59 e9 c4 74-f9 6b e0 63 19 0d fa e1   ....Y..t.k.c....
    0070 - 1f 7a 04 84 f1 d7 9c 4b-a1 fd 98 92 c4 b5 a3 2f   .z.....K......./
    0080 - 9b 51 dd dd ce aa 7c 58-cb 3a 4e 21 c2 7a 49 fd   .Q....|X.:N!.zI.
    0090 - f4 6d ee 6a 64 c7 de f2-a0 fd e6 45 02 cf e6 36   .m.jd......E...6

    Start Time: 1547662075
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

[astrojuanlu]

Interestingly, when I switched from the router to a WiFi hotspot with my smartphone the problem disappeared. So now I suspect there is something wrong with my ISP...

[di]

@Juanlu001 Who is your ISP?

[astrojuanlu]

Sorry, somehow my fastly-debug output didn't make to the report. It's CABLEWORLD-AS, ES

ewogICJnZW9pcCI6IHsKICAgICJjaSI6ICJlbHgiLAogICAgInN0IjogIkEiLAogICAgImN0IjogInNwYWluIiwKICAgICJjbyI6ICJFVSIsCiAgICAiY19hc24iOiAiMzUzOTQiLAogICAgImNfYXNuX25hbWUiOiAidGVsZXZpZGVvIG5vdmVsZGEgcy5hLiB1bmlwZXJzb25hbCIsCiAgICAicl9pcCI6ICI3NC4xMjUuNDcuMTM2IiwKICAgICJyX2FzbiI6ICIxNTE2OSIsCiAgICAicl9hc25fbmFtZSI6ICJnb29nbGUgbGxjIiwKICAgICJyX2NpIjogImJydXNzZWxzIiwKICAgICJyX3N0IjogIkJSVSIsCiAgICAicl9jdCI6ICJiZWxnaXVtIiwKICAgICJyX2NvIjogIkVVIgogIH0sCiAgInBvcExhdGVuY3kiOiB7CiAgICAibGhyIjogNDEsCiAgICAibGN5IjogNDEsCiAgICAiY2RnIjogMzMsCiAgICAibWFkIjogMTUsCiAgICAiZnJhIjogNDUsCiAgICAiaGhuIjogNDYsCiAgICAiYW1zIjogNDYsCiAgICAiYm1hIjogNzAsCiAgICAiaGVsIjogNzQsCiAgICAiamZrIjogMTE4LAogICAgImhrZyI6IDE4OCwKICAgICJhbnkiOiAxNQogIH0sCiAgInBvcEFzc2lnbm1lbnRzIjogewogICAgImFjIjogIm1hZCIsCiAgICAiYXMiOiAibWFkIgogIH0sCiAgInJlcXVlc3QiOiB7CiAgICAicmVzb2x2ZXJfaXAiOiAiNzQuMTI1LjczLjY3IiwKICAgICJyZXNvbHZlcl9hc19uYW1lIjogIkdPT0dMRSAtIEdvb2dsZSBMTEMsIFVTIiwKICAgICJyZXNvbHZlcl9hc19udW1iZXIiOiAiMTUxNjkiLAogICAgInJlc29sdmVyX2NvdW50cnlfY29kZSI6ICJVUyIsCiAgICAiY2xpZW50X2lwIjogIjE4NS4xNzIuMTcwLjE2MCIsCiAgICAiY2xpZW50X2FzX25hbWUiOiAiQ0FCTEVXT1JMRC1BUywgRVMiLAogICAgImNsaWVudF9hc19udW1iZXIiOiAiMzUzOTQiLAogICAgInRpbWUiOiAiMjAxOS0wMS0xNlQxODo0MToxNS4wMDBaIiwKICAgICJob3N0IjogInd3dy5mYXN0bHktZGVidWcuY29tIiwKICAgICJhY2NlcHQiOiAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44IiwKICAgICJ1c2VyYWdlbnQiOiAiTW96aWxsYS81LjAgKFgxMTsgVWJ1bnR1OyBMaW51eCB4ODZfNjQ7IHJ2OjY0LjApIEdlY2tvLzIwMTAwMTAxIEZpcmVmb3gvNjQuMCIsCiAgICAiYWNjZXB0bGFuZ3VhZ2UiOiAiZW4tVVMsZW47cT0wLjUiLAogICAgImFjY2VwdGVuY29kaW5nIjogImd6aXAiLAogICAgImZhc3RseXNlcnZlcmlwIjogIjE1MS4xMDEuMTkyLjY0IiwKICAgICJ4ZmYiOiAiMTg1LjE3Mi4xNzAuMTYwIiwKICAgICJkYXRhY2VudGVyIjogIk1BRCIsCiAgICAiYmFuZHdpZHRoX21icHMiOiAiMjAuNTYiLAogICAgImN3bmQiOiAyNiwKICAgICJuZXh0aG9wIjogIjE3Mi4xOS4xMjguMSIsCiAgICAicnR0IjogMTEuNDU2LAogICAgImRlbHRhX3JldHJhbnMiOiAxLAogICAgInRvdGFsX3JldHJhbnMiOiAxCiAgfQp9

[di]

Thanks, I've submitted a support ticket to our CDN provider.

[di]

@Juanlu001 Can you run the following command and share the results?

curl -L --output /dev/null --silent --show-error --write-out 'lookup:        %{time_namelookup}\nconnect:       %{time_connect}\nappconnect:    %{time_appconnect}\npretransfer:   %{time_pretransfer}\nredirect:      %{time_redirect}\nstarttransfer: %{time_starttransfer}\ntotal:         %{time_total}\n' 'https://files.pythonhosted.org/packages/6a/d1/e0d142ce7b8a5c76adbfad01d853bca84c7c0240e35577498e20bc2ade7d/virtualenv-16.2.0-py2.py3-none-any.whl'

[astrojuanlu]

juanlu@centauri ~ $ curl -L --output /dev/null --silent --show-error --write-out 'lookup:        %{time_namelookup}\nconnect:       %{time_connect}\nappconnect:    %{time_appconnect}\npretransfer:   %{time_pretransfer}\nredirect:      %{time_redirect}\nstarttransfer: %{time_starttransfer}\ntotal:         %{time_total}\n' 'https://files.pythonhosted.org/packages/6a/d1/e0d142ce7b8a5c76adbfad01d853bca84c7c0240e35577498e20bc2ade7d/virtualenv-16.2.0-py2.py3-none-any.whl'
lookup:        0,028722
connect:       0,039242
appconnect:    0,087061
pretransfer:   0,087273
redirect:      0,000000
starttransfer: 60,480165
total:         61,096943
juanlu@centauri ~ $ curl -L --output /dev/null --silent --show-error --write-out 'lookup:        %{time_namelookup}\nconnect:       %{time_connect}\nappconnect:    %{time_appconnect}\npretransfer:   %{time_pretransfer}\nredirect:      %{time_redirect}\nstarttransfer: %{time_starttransfer}\ntotal:         %{time_total}\n' 'https://files.pythonhosted.org/packages/2d/60/f58d9e8197f911f9405bf7e02227b43a2acc2c2f1a8cbb1be5ecf6bfd0b8/pluggy-0.8.1-py2.py3-none-any.whl'
lookup:        0,028670
connect:       0,038857
appconnect:    0,087159
pretransfer:   0,087401
redirect:      0,000000
starttransfer: 0,098525
total:         0,110404

[di]

Thanks @Juanlu001, can you verify if it's intermittent or occurs 100% of the time for that file? If it's only intermittent, how often does it occur? Also, could provide the full response headers when it does happen? (via curl --verbose).

[astrojuanlu]

Thanks @di and sorry for making you back-and-forth between me and PyPI's CDN, I appreciate the help a lot.

It happens 100 % of the time with one package and 0 % of the time with another package, and sadly curl --verbose does not give much more information:

juanlu@centauri ~ $ curl -L --output /dev/null --silent --show-error --write-out 'lookup:        %{time_namelookup}\nconnect:       %{time_connect}\nappconnect:    %{time_appconnect}\npretransfer:   %{time_pretransfer}\nredirect:      %{time_redirect}\nstarttransfer: %{time_starttransfer}\ntotal:         %{time_total}\n' 'https://files.pythonhosted.org/packages/6a/d1/e0d142ce7b8a5c76adbfad01d853bca84c7c0240e35577498e20bc2ade7d/virtualenv-16.2.0-py2.py3-none-any.whl' -vvv
*   Trying 151.101.133.63...
* TCP_NODELAY set
* Connected to files.pythonhosted.org (151.101.133.63) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [220 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4222 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc; CN=r.ssl.fastly.net
*  start date: Sep  4 19:42:10 2018 GMT
*  expire date: Apr 14 16:28:35 2019 GMT
*  subjectAltName: host "files.pythonhosted.org" matched cert's "*.pythonhosted.org"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign CloudSSL CA - SHA256 - G3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55c225701900)
} [5 bytes data]
> GET /packages/6a/d1/e0d142ce7b8a5c76adbfad01d853bca84c7c0240e35577498e20bc2ade7d/virtualenv-16.2.0-py2.py3-none-any.whl HTTP/2
> Host: files.pythonhosted.org
> User-Agent: curl/7.58.0
> Accept: */*
> 
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
} [5 bytes data]

[VEEEEERY LONG DELAY]

< HTTP/2 200 
< x-amz-id-2: QFAHsSLUJo9svc1jiWJXJoL/GflV/D5By2TsFp61M73GbwgiXg/fe41qZvLGH996e2oX0ba003A=
< x-amz-request-id: EBCEA7ABE1DC2518
< last-modified: Mon, 31 Dec 2018 22:16:07 GMT
< etag: "24e0adea5a7d49a25a9c9b85d70dca8c"
< x-amz-version-id: q_34KGNVGgcIMyN9twZwMSjaznKFoxWG
< content-type: binary/octet-stream
< server: AmazonS3
< cache-control: max-age=365000000, immutable, public
< accept-ranges: bytes
< date: Fri, 18 Jan 2019 18:03:17 GMT
< age: 1540029
< x-served-by: cache-sea1028-SEA, cache-mad9422-MAD
< x-cache: HIT, HIT
< x-cache-hits: 7, 3
< x-timer: S1547834598.990752,VS0,VE0
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: deny
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< x-permitted-cross-domain-policies: none
< x-robots-header: noindex
< content-length: 1921889
< 
{ [2206 bytes data]
* Connection #0 to host files.pythonhosted.org left intact
lookup:        0,060748
connect:       0,071801
appconnect:    0,131620
pretransfer:   0,131986
redirect:      0,000000
starttransfer: 123,036330
total:         123,868335
juanlu@centauri ~ $ 
juanlu@centauri ~ $ 
juanlu@centauri ~ $ [VEEEEERY LONG DELAY]
[VEEEEERY: command not found
juanlu@centauri ~ $ 
juanlu@centauri ~ $ #curl -L --output /dev/null --silent --show-error --write-out 'lookup:        %{time_namelookup}\nconnect:       %{time_connect}\nappconnect:    %{time_appconnect}\npretransfer:   %{time_pretransfer}\nredirect:      %{time_redirect}\nstarttransfer: %{time_starttransfer}\ntotal:         %{time_total}\n' 'https://files.pythonhosted.org/packages/2d/60/f58d9e8197f911f9405bf7e02227b43a2acc2c2f1a8cbb1be5ecf6bfd0b8/pluggy-0.8.1-py2.py3-none-any.whl'
juanlu@centauri ~ $ curl -L --output /dev/null --silent --show-error --write-out 'lookup:        %{time_namelookup}\nconnect:       %{time_connect}\nappconnect:    %{time_appconnect}\npretransfer:   %{time_pretransfer}\nredirect:      %{time_redirect}\nstarttransfer: %{time_starttransfer}\ntotal:         %{time_total}\n' 'https://files.pythonhosted.org/packages/2d/60/f58d9e8197f911f9405bf7e02227b43a2acc2c2f1a8cbb1be5ecf6bfd0b8/pluggy-0.8.1-py2.py3-none-any.whl' -vvvvvv
*   Trying 151.101.133.63...
* TCP_NODELAY set
* Connected to files.pythonhosted.org (151.101.133.63) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [220 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4222 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc; CN=r.ssl.fastly.net
*  start date: Sep  4 19:42:10 2018 GMT
*  expire date: Apr 14 16:28:35 2019 GMT
*  subjectAltName: host "files.pythonhosted.org" matched cert's "*.pythonhosted.org"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign CloudSSL CA - SHA256 - G3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55557562f900)
} [5 bytes data]
> GET /packages/2d/60/f58d9e8197f911f9405bf7e02227b43a2acc2c2f1a8cbb1be5ecf6bfd0b8/pluggy-0.8.1-py2.py3-none-any.whl HTTP/2
> Host: files.pythonhosted.org
> User-Agent: curl/7.58.0
> Accept: */*
> 
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
} [5 bytes data]
< HTTP/2 200 
< x-amz-id-2: tV7rKA3ghy16z0S993tEMuBAcXMtns/yrGdf7hkAjdcHk3Q3PLqx2RsvDMrDUQrxpRlhSfhEQjc=
< x-amz-request-id: 0BBDD6FE28BCFA70
< last-modified: Wed, 09 Jan 2019 20:53:29 GMT
< etag: "2b2a30da7a38faa1c25b6efe87ccda6d"
< x-amz-version-id: 1j.JyR6Z_pD3.Rw3yLy55llF7fFJoDJt
< content-type: binary/octet-stream
< server: AmazonS3
< cache-control: max-age=365000000, immutable, public
< accept-ranges: bytes
< date: Fri, 18 Jan 2019 18:05:55 GMT
< age: 767545
< x-served-by: cache-sea1033-SEA, cache-mad9432-MAD
< x-cache: HIT, HIT
< x-cache-hits: 6, 9
< x-timer: S1547834756.790320,VS0,VE0
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: deny
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< x-permitted-cross-domain-policies: none
< x-robots-header: noindex
< content-length: 17274
< 
{ [2208 bytes data]
* Connection #0 to host files.pythonhosted.org left intact
lookup:        0,004186
connect:       0,014426
appconnect:    0,048488
pretransfer:   0,048716
redirect:      0,000000
starttransfer: 0,059478
total:         0,071606

[astrojuanlu]

Hi @di! I guess there hasn't been much progress with this issue, but did the CDN say anything that I can use to try to fix this with my ISP at least?

[di]

Hi @Juanlu001, sorry for the delay. Our provider wants to confirm that you're seeing this issue on the WAN side of your router, and if so, if you can send then a packet capture they can inspect.

(If that's not possible or you're not sure how to do that, it's no problem, just let me know)

[astrojuanlu]

I don't know what WAN is, so if there are some instructions I can follow, I'll generate a packet capture.

[supine]

@Juanlu001 by WAN we mean the ISP side of your router.

Not sure what kind of connection it is but is it possible to connect a computer directly to it rather than using your router?

If so, please capture the slow and normal downloads in that configuration.

If not, please just take captures of the slow and normal downloads in your standard configuration and we will see if we can extract any insight from them.

[astrojuanlu]

Sorry for the lack of response. I have observed that it also happens with other websites, and apparently is not as predictable as I thought in the beginning, so I'm closing this issue and I will try to contact my ISP directly when I have more information. Thanks for lending a hand :pray: