CD
Cloudflare Developers6mo ago
Justin

SSL routines:ST_CONNECT:tlsv1 alert protocol version

Running into an issue here with workers, where I cannot curl specifically in San Francisco. When I VPN somewhere else it works. I have tried on multiple different machine 
curl -vv https://oai.hconeai.com
*   Trying [2606:4700::6812:cba]:443...
* Connected to oai.hconeai.com (2606:4700::6812:cba) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
curl -vv https://oai.hconeai.com
*   Trying [2606:4700::6812:cba]:443...
* Connected to oai.hconeai.com (2606:4700::6812:cba) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
8 Replies
Walshy
Walshy6mo ago
Not seeing a CAA record 
$ dig CAA oai.hconeai.com

; <<>> DiG 9.10.6 <<>> CAA oai.hconeai.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6659
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;oai.hconeai.com.        IN    CAA

;; AUTHORITY SECTION:
hconeai.com.        1800    IN    SOA    hattie.ns.cloudflare.com. dns.cloudflare.com. 2342329865 10000 2400 604800 1800

;; Query time: 13 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Mon May 27 22:44:50 BST 2024
;; MSG SIZE  rcvd: 122

$ dig CAA hconeai.com

; <<>> DiG 9.10.6 <<>> CAA hconeai.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10315
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;hconeai.com.            IN    CAA

;; AUTHORITY SECTION:
hconeai.com.        1800    IN    SOA    hattie.ns.cloudflare.com. dns.cloudflare.com. 2342329865 10000 2400 604800 1800

;; Query time: 12 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Mon May 27 22:44:53 BST 2024
;; MSG SIZE  rcvd: 118
$ dig CAA oai.hconeai.com

; <<>> DiG 9.10.6 <<>> CAA oai.hconeai.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6659
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;oai.hconeai.com.        IN    CAA

;; AUTHORITY SECTION:
hconeai.com.        1800    IN    SOA    hattie.ns.cloudflare.com. dns.cloudflare.com. 2342329865 10000 2400 604800 1800

;; Query time: 13 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Mon May 27 22:44:50 BST 2024
;; MSG SIZE  rcvd: 122

$ dig CAA hconeai.com

; <<>> DiG 9.10.6 <<>> CAA hconeai.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10315
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;hconeai.com.            IN    CAA

;; AUTHORITY SECTION:
hconeai.com.        1800    IN    SOA    hattie.ns.cloudflare.com. dns.cloudflare.com. 2342329865 10000 2400 604800 1800

;; Query time: 12 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Mon May 27 22:44:53 BST 2024
;; MSG SIZE  rcvd: 118
only weird thing i'm seeing immediately what colo and what's your ray ID when hitting with the cert error?
Justin
JustinOP6mo ago
Thanks @Walshy | Deploying for your message I am not able to get any more information 
 curl -vv -I https://oai.hconeai.com
*   Trying [2606:4700::6812:dba]:443...
* Connected to oai.hconeai.com (2606:4700::6812:dba) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
 curl -vv -I https://oai.hconeai.com
*   Trying [2606:4700::6812:dba]:443...
* Connected to oai.hconeai.com (2606:4700::6812:dba) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
The weird issue here is that I am able to deploy a new worker under a different domain and it works correctly... We actually have a bunch of domains pointing to the same worker... Here are a few Domains that do not work - https://together.hconeai.com - https://oai.hconeai.com Domains that do work - https://oai.eu.hconeai.com - https://oai.helicone.ai Some other weird notes and behavior The issue is not operating system specific and is happening location specific. When I join a VPN I do not run into this issue. Running from different computers, at different locations within San Francisco cause this issue to happen. I have tried thes following environments MacOS + Node + (Lower Haight SF) MacOS + Curl + (Lower Haight SF) Ubuntu + Curl + (Lower Haight SF) MacOS + Node + (Downtown SF) MacOS + Curl + (Downtown SF) I have attempted on multiple devices and the issue persists. I tried clearing my computer's DNS cache as well and that did not help. I also was experiencing some issues with ipv6 and forcing it to be ipv4 does not help. Right now I deployed another worker on another domain to unblock some customers https://oai.helicone.ai @Walshy | Deploying here are the Ticket IDs I have created #3276797
#3274350 #3273394
Walshy
Walshy6mo ago
can you do a curl https://cloudflare.com/cdn-cgi/trace and send the output (but censor the ip=) i can check the tickets in a bit (please note, creating multiple just slows down the process)
Justin
JustinOP6mo ago
they are separate issues, maybe I can resolve them and put all my notes into 1 massive ticket?
Walshy
Walshy6mo ago
ok cool, if they're separate then it's all good
Justin
JustinOP6mo ago
curl https://cloudflare.com/cdn-cgi/trace
fl=465f161
h=cloudflare.com
ip=
ts=1716855598.869
visit_scheme=https
uag=curl/8.4.0
colo=SJC
sliver=none
http=http/2
loc=US
tls=TLSv1.3
sni=plaintext
warp=off
gateway=off
rbi=off
kex=X25519
curl https://cloudflare.com/cdn-cgi/trace
fl=465f161
h=cloudflare.com
ip=
ts=1716855598.869
visit_scheme=https
uag=curl/8.4.0
colo=SJC
sliver=none
http=http/2
loc=US
tls=TLSv1.3
sni=plaintext
warp=off
gateway=off
rbi=off
kex=X25519
Walshy
Walshy6mo ago
ty - i tested sjc earlier and it seemed to work for me, i'll check it a bit more in a little. let me finish this hearthstone game yeah not seeing anything weird, added myself to all 3 tickets and will chat to support folk tomorrow
Justin
JustinOP6mo ago
Thanks Walshy - Happy to provide more information if needed Hi @Walshy | Deploying still running into this isssue
Want results from more Discord servers?
Add your server