Constant delay in TLS handshake after 26.1.6_2 update

Started by odites999, Today at 02:01:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 02:01:44 PM
After the update, accessing many websites becomes incredibly slow (when it even works) with numerous "performing TLS handshake" messages. Searching online, I found a solution for Firefox that involves enabling the "network.dns.disableIPv6" parameter. After that, it works fine again in that Firefox instance, but the problem persists for the rest of the network. Is anyone else experiencing something similar?
Today at 02:11:06 PM #1 Last Edit: Today at 02:14:38 PM by meyergru
The name of the parameter should give you a hint about what is probably wrong with your setup: DNS resolution for IPv6 names or IPv6 reachability.

You should investigate what exactly goes wrong (and then, why).

For example:

1. When you resolve a name like "www.google.com", you will get both an IPv6 and an IPv4 address - that is, if DNS resolution does not fail in the first place, in case your client tries to resolve via IPv6 first. If that fails, which is the IPv6 address of your DNS server? Does it answer?

2. Can you reach the resolved IPv6 via ping? Probably not.

3. Does your client get a routeable IPv6?

4. Has it got an IPv6 gateway? Can it be reached?

5. Can you reach your upstream gateway? Or any IPv6, like "2600::", via ping?

You catch my drift. "websites are slow" means "cannot be reached via IPv6, which is the preferred way" in your case. There is about 0% chance that TLS is impacted. OpnSense does not even interfere with that, unless you use a proxy.

When IPv6 did work before, you should be able to fix it. If your ISP does not offer it, turn it off globally.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
Today at 02:16:58 PM #2
I'll try everything you suggested. The strange thing is, everything was working perfectly yesterday. Today I updated and it started malfunctioning even though I hadn't changed any settings.
Today at 02:29:45 PM #3
Read the change notes for the update(s) you did. I think there were changes for IPv6. Probably, you need a reboot, depending on what your update path was.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
Today at 02:40:05 PM #4
Quote from: meyergru on Today at 02:11:06 PMThe name of the parameter should give you a hint about what is probably wrong with your setup: DNS resolution for IPv6 names or IPv6 reachability.

You should investigate what exactly goes wrong (and then, why).

For example:

1. When you resolve a name like "www.google.com", you will get both an IPv6 and an IPv4 address - that is, if DNS resolution does not fail in the first place, in case your client tries to resolve via IPv6 first. If that fails, which is the IPv6 address of your DNS server? Does it answer?

2. Can you reach the resolved IPv6 via ping? Probably not.

3. Does your client get a routeable IPv6?

4. Has it got an IPv6 gateway? Can it be reached?

5. Can you reach your upstream gateway? Or any IPv6, like "2600::", via ping?

You catch my drift. "websites are slow" means "cannot be reached via IPv6, which is the preferred way" in your case. There is about 0% chance that TLS is impacted. OpnSense does not even interfere with that, unless you use a proxy.

When IPv6 did work before, you should be able to fix it. If your ISP does not offer it, turn it off globally.


Replys to every point:

1. DNS responses work ok. The DNS server is the upstream router.
2. Ping to the resolved address works well.
3. Yes. It gets a routable IPv6.
4. Yes.
5. Yes
I ran a test on http://test-ipv6.com, which failed, including the fact that it says my provider is "APPLE-ENGINEERING - Apple Inc., US" and that's getting close to witchcraft... ;-) because I don't have any Apple devices at home and my provider is Movistar in Spain.
Today at 02:44:10 PM #5
Quote from: meyergru on Today at 02:29:45 PMRead the change notes for the update(s) you did. I think there were changes for IPv6. Probably, you need a reboot, depending on what your update path was.

I just read the notes and I don't see anything that could directly affect me (probably due to my lack of knowledge).
Today at 02:48:05 PM #6
The provider test is crap, for me, it shows "OPALTELECOM-AS TalkTalk Communications Limited, GB", while I am in Germany.

If you still use the parameter in Firefox, the test should probably fail, because that setting essentially disables IPv6.

There were several changes in 26.1.6 for IPv6. If you only did an 26.1.6 -> 26.1.6_2 upgrade, everything should work.

What do you mean by "the DNS server is the upstream router"? Do you use a router-behind-router setup, do you mean the ISP router or your OpnSense? If so, its IPv4 or IPv6 address? Please be more specific.

Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
Today at 04:10:32 PM #7
Quote from: odites999 on Today at 02:40:05 PMmy provider is Movistar in Spain.
Is there a chance that you could get kicked into a CG-NAT segment of their network after rebooting your Router ??

I can imagine a congested CG-NAT network can cause all sorts of issues...

Could you do a tracert/traceroute to the websites you are having issues with ?
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Print
Go Up Pages1
User actions