TLS failure: End_of_file

[kit-ty-kate]

With the same test case as in #7 I’m now getting:

TLS failure: End_of_file

in some specific conditions I still don’t understand.

I use it for https://github.com/ocurrent/opam-health-check/ and it works fine for any small instances or if I call the function directly but fails with this error on a main instance specifically for the slack.com webhook (the Discord webhook worked fine)

Here is the code: https://github.com/ocurrent/opam-health-check/blob/debug-crashes/server/backend/check.ml#L404

Do I have to tweak the TLS config?

[hannesm]

Since "it works fine for any small instances", I don't think you need to tweak the TLS config.

Is there a rate limiting of the slack endpoint? Do you send hundreds of hooks at once? Could you increase the debug level (with the Logs library, the tls library has some log sources) to see at which point in the TLS handshake fails (the server sending an "End of file" (`Eof in ocaml-tls, caused by a read of 0 bytes))?

[kit-ty-kate]

Do you send hundreds of hooks at once?

no, only one. Once at the end of each run.

I'll try to increase the log level. Sadly the only way I've been able to reproduce the problem is to let the main instance complete its run, which takes several days. So this will take some time

[hannesm]

Hmm, and the output let%lwt () = Lwt_io.write_line stderr ("Triggering Slack webhook "^Uri.to_string webhook) in is printed directly before? If it takes multiple days, and the Http_lwt_client establishes at startup a TLS connection to the webhook host, it could be terminated by the time the webhook is sent.

Maybe in addition ti makes sense to capture the IP packets of the commnuication between opam-health-check and slack - a tcpdump -w slack-opam-health-check.pcap host <IP of the slack host> would be nice to have for future investigation.

[kit-ty-kate]

Hmm, and the output let%lwt () = Lwt_io.write_line stderr ("Triggering Slack webhook "^Uri.to_string webhook) in is printed directly before?

Yes. This is as simple as a curl call, no connection is kept waiting.

I’ve set re-run opam-health-check with Logs.set_level (Some Logs.Debug) and tcpdump -w <file> host hooks.slack.com. I’ll keep you posted in a couple of days when it finishes.

[kit-ty-kate]

Setting the log level did not yield anything (nothing got printed).

The interesting change from last time is that now the discord.com/api webhook sent just after also failed but with a different error message: connection failed. Maybe it is unrelated, but maybe not.

tcpdump -r slack-opam-health-check.pcap shows:

21:42:05.620900 IP opam-health-check.37360 > ec2-18-134-215-41.eu-west-2.compute.amazonaws.com.https: Flags [S], seq 3736980383, win 64240, options [mss 1460,sackOK,TS val 2809942956 ecr 0,nop,wscale 7], length 0
21:42:05.635623 IP ec2-18-134-215-41.eu-west-2.compute.amazonaws.com.https > opam-health-check.37360: Flags [S.], seq 1080392525, ack 3736980384, win 32200, options [mss 1300,sackOK,TS val 3927420543 ecr 2809942956,nop,wscale 12], length 0
21:42:05.635710 IP opam-health-check.37360 > ec2-18-134-215-41.eu-west-2.compute.amazonaws.com.https: Flags [.], ack 1, win 502, options [nop,nop,TS val 2809942971 ecr 3927420543], length 0
21:42:20.654347 IP ec2-18-134-215-41.eu-west-2.compute.amazonaws.com.https > opam-health-check.37360: Flags [F.], seq 1, ack 1, win 8, options [nop,nop,TS val 3927435562 ecr 2809942971], length 0
21:42:20.656444 IP opam-health-check.37360 > ec2-18-134-215-41.eu-west-2.compute.amazonaws.com.https: Flags [.], ack 2, win 502, options [nop,nop,TS val 2809957992 ecr 3927435562], length 0
21:42:54.160089 IP opam-health-check.58052 > ec2-18-168-172-238.eu-west-2.compute.amazonaws.com.https: Flags [S], seq 1342184453, win 64240, options [mss 1460,sackOK,TS val 177444807 ecr 0,nop,wscale 7], length 0
21:42:54.176858 IP ec2-18-168-172-238.eu-west-2.compute.amazonaws.com.https > opam-health-check.58052: Flags [S.], seq 980295719, ack 1342184454, win 32200, options [mss 1300,sackOK,TS val 2482206845 ecr 177444807,nop,wscale 12], length 0
21:42:54.176956 IP opam-health-check.58052 > ec2-18-168-172-238.eu-west-2.compute.amazonaws.com.https: Flags [.], ack 1, win 502, options [nop,nop,TS val 177444824 ecr 2482206845], length 0
21:43:04.352715 IP opam-health-check.37360 > ec2-18-134-215-41.eu-west-2.compute.amazonaws.com.https: Flags [P.], seq 1:518, ack 2, win 502, options [nop,nop,TS val 2810001688 ecr 3927435562], length 517
21:43:04.367670 IP ec2-18-134-215-41.eu-west-2.compute.amazonaws.com.https > opam-health-check.37360: Flags [R], seq 1080392527, win 0, length 0
tcpdump: pcap_loop: truncated dump file; tried to read 66 captured bytes, only got 13

I hope the tcpdump log helps. If I can give you more feel free to ask

[kit-ty-kate]

Setting the log level did not yield anything (nothing got printed).

Reading the doc, I seem to have forgotten to call Logs.set_reporter (Logs_fmt.reporter ()). Oh well, time for another run anyway.

[kit-ty-kate]

@hannesm I have the logs but they contain private informations. What should i look for?

The log is quite big but on first glance this seems a bit weird:

[DEBUG] connection ok to hooks.slack.com after 1m13s

From the logs it looks like some stuff happens in between the start of the call to Http_lwt_client.one_request and this. In order it seems to be:

1. [DEBUG] action resolve AAAA hooks.slack.com and similar DNS related actions
2. the frontend cohttp server receives 2 requests

opam-health-serve: [DEBUG] received event 1 connected to hooks.slack.com (using 18.134.215.41:443)
opam-health-serve: [DEBUG] connection ok to hooks.slack.com after 1m13s
opam-health-serve: [DEBUG] (handshake-out
                            (ClientHello
                             ((client_version TLS_1_3)
                            ....

4. [DEBUG] action resolve AAAA discord.com (the next webhook in the list)
5. Received two more requests on the cohttp frontend (at least one is from a bot and return a 500 due to the url being not correct)

opam-health-serve: [INFO] end of file reading from resolver
opam-health-serve: [INFO] end of file reading from resolver
opam-health-serve: [DEBUG] timer
opam-health-serve: [DEBUG] timer 0 actions
opam-health-serve: [ERROR] connection to 127.0.0.53:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
opam-health-serve: [DEBUG] >>> 67

7. The Lwt_io.write_line that was supposed to be finished before is finally printed (I’m guessing this is some buffered delay)

opam-health-serve: [DEBUG] received event 5 connection to host.invalid failed 127.0.0.53:853
opam-health-serve: [DEBUG] timer
opam-health-serve: [DEBUG] timer 0 actions
opam-health-serve: [ERROR] connection to 127.0.0.53:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
opam-health-serve: [DEBUG] received event 5 connected to host.invalid (using 127.0.0.53:53)
opam-health-serve: [DEBUG] Connected to NS.
opam-health-serve: [DEBUG] >>> c6
opam-health-serve: [DEBUG] >>> Webhook failed with: TLS failure: End_of_file

Many of the actions seem to be done out of order from what I would be expecting (especially the part where the discord webhook is being triggered before the slack webhook is done).

Do you see an obvious problem in these summarized logs?

[hannesm]

Thanks for your detailed logs - I do not see any obvious problems in the summarized.

How I expect this to work:

• (a) http-lwt-client receives a request to connect to URL u
• (b) it uses happy-eyeballs to figures out which host to connect to (using any protocol - IPv4/IPv6)
• (c) happy-eyeballs triggers a DNS resolution that decodes /etc/resolv.conf and attempts to connect to a resolver listed there: first on port 853 (for DNS-over-TLS), then on port 53 (TCP)
• (d) the IP addresses are resolved (IPv6 - AAAA records, and IPv4 - A records)
• (e) happy-eyeballs attempts to connect via IPv6, and IPv4 to the remote host (on port 443 for a https url, port 80 for a http url)
• (f) finally, http-lwt-client sends out the request over the provided socket

from your log, (1) is part of (c), (3) look like (e) returned and http-lwt-client attempts a TLS handshake; (4) looks like either it is done asynchronously (in a separate Lwt task) or the webhook task for slack has been finished. (6) attempts DNS lookups, and figures that the previous TCP session to the resolver has been terminated (end of file reading from resolver), and initiates new TCP sessions (first again on port 853, which is refused, then on port 53) -- (8) is the continuation thereof (where connection to your resolver on port 853 was refused, and then the connection is done to the same resolver on port 53 -- "Connected to NS." indicates the connection establishment was fine). The error "Webhook failed with: TLS failure: End_of_file" is still mysterious to me - also 67 and c6 as output. could you include the webhok url that failed, and maybe add some more printf to figure out when a connection is established and the http request being sent / the http response being awaited (and received)?

[hannesm]

from your tcpdump output (in #8 (comment)):

• a first connection is established at 21:42:05 (after the first three packets), and teared down (by the remote side, slack) 15 seconds later (there was no data being exchanged).
• a second connection is established at 21:42:54 and 10 seconds later some data is exchanged (513 bytes, with a push), but the remote side answers with a reset flag (R) that indicates an abnormal termination

[hannesm]

I did some testing (using the debug branch here) with _build/default/app/hurl.exe https://ccc.de https://mirage.io https://robur.io https://robur.coop http://google.com https://ietf.org https://slack.com https://google.com https://discord.com and still fail to reproduce connection failures :/

output

$ _build/default/app/hurl.exe https://ccc.de https://mirage.io https://robur.io https://robur.coop http://google.com https://ietf.org https://slack.com https://google.com https://discord.com
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [WARNING] received unsolicited data, ignoring
hurl.exe: [WARNING] received unsolicited data, ignoring
hurl.exe: [WARNING] received unsolicited data, ignoring
hurl.exe: [WARNING] received unsolicited data, ignoring
hurl.exe: [WARNING] received unsolicited data, ignoring
hurl.exe: [WARNING] received unsolicited data, ignoring
hurl.exe: [WARNING] received unsolicited data, ignoring
hurl.exe: [WARNING] received unsolicited data, ignoring
https://discord.com ((version "HTTP/2.0") (status 200) (reason "")
http://google.com ((version "HTTP/1.1") (status 200) (reason "OK")
https://robur.coop ((version "HTTP/1.1") (status 200) (reason "OK")
https://ccc.de ((version "HTTP/1.1") (status 200) (reason "OK")
https://mirage.io ((version "HTTP/1.1") (status 200) (reason "OK")
https://google.com ((version "HTTP/2.0") (status 200) (reason "")
https://slack.com ((version "HTTP/2.0") (status 200) (reason "")
https://ietf.org ((version "HTTP/2.0") (status 200) (reason "")
hurl.exe: [ERROR] connection to 192.168.42.3:853 failed: Unix.Unix_error(Unix.ECONNREFUSED, "connect", "")
hurl.exe: [WARNING] connection failed to host.invalid, but no entry in conns
https://robur.io ((version "HTTP/1.1") (status 200) (reason "OK")

could you try the debug branch with your webhooks on your server? The 192.168.42.3 is my local DNS resolver that does not listen to DNS-over-TLS (and the connection refused are harmless).

[hannesm]

ah, with some more pressure I find some connection failure races. will investigate further, thanks for your report again.

[hannesm]

Observations:

• it sometimes fails with Lwt_list.iter_p
• somehow (looking at the ktrace output), a Lwt_unix.connect does not return (neither report an error/raise an exception)
• I'm not able to reproduce the TLS End_of_file issue

could you try the following patch:

diff --git a/server/backend/check.ml b/server/backend/check.ml
index 8f81e1d..e08a58b 100644
--- a/server/backend/check.ml
+++ b/server/backend/check.ml
@@ -397,6 +397,7 @@ let trigger_slack_webhooks ~stderr ~old_logdir ~new_logdir conf =
     | None ->
         Printf.sprintf {|{"text":"The first check is done. Check out %s to discover which packages are now broken or fixed"}|} public_url
   in
+  let happy_eyeballs = Happy_eyeballs_lwt.create () in
   Server_configfile.slack_webhooks conf |>
   Lwt_list.iter_s begin fun webhook ->
     let%lwt () = Lwt_io.write_line stderr ("Triggering Slack webhook "^Uri.to_string webhook) in
@@ -406,6 +407,7 @@ let trigger_slack_webhooks ~stderr ~old_logdir ~new_logdir conf =
         ~meth:`POST
         ~headers:[("Content-type", "application/json")]
         ~body
+        ~happy_eyeballs
         (Uri.to_string webhook)
     with
     | Ok ({Http_lwt_client.status = `OK; _}, _body) -> Lwt.return_unit

This uses the same happy_eyeballs instance (and thus the same resolver) for all webhook requests -> only a single connection to the resolver is used.

[hannesm]

...and then even with such a patch, in dns_client_lwt connect_via_tcp_to_ns we need to ensure a single connection attempt at a time... I'll later look deeper into this issue and report back.

[hannesm]

Would you mind to test with the following branches:

• https://github.com/hannesm/ocaml-dns/tree/client-avoid-race
• https://github.com/roburio/happy-eyeballs/tree/fixes

With these (and my custom hurl) I'm no longer able to trigger connection failures. Apart from to MirageOS unikernels (but that is reported to mirage/mirage-tcpip#470 and a separate issue).

Thanks for your patience, and please let me know if with the pins above your connection establishment issues are gone.

[kit-ty-kate]

@hannesm I’ve just tested both of these branches and upon first quick testing it seems to work now! 🎉

I’m gonna try a few more time and will report any issues I encounter but this is really really promessing! Thanks a lot! 💚

[kit-ty-kate]

I can confirm, it is fixed! \o/

[hannesm]

thanks again for your report and analysis -- the dns changes are released now (in 6.1.4) and happy-eyeballs changes as well (in 0.1.3, pending to be merged into opam-repository).

closing this issue since it is fixed.