HTTPS Request Timeouts from CentOS 6.10 servers

As of June 9th, 2020 I have been getting intermittent timeouts when making an HTTPS request to a Cloudflare proxied domain. So far I have only been getting these timeouts on CentOS 6.10 servers (with latest curl, nss, yum, and openssl updates). I have not been getting them on CentOS 8.1 servers or on my local Mac when running the below curl command:

curl -v --tlsv1.2 https://zeta.maizegdb.org/docs/testdoc.txt

Sometimes the request succeeds, but other times it does not. The output from the above command when running on my CentOS 6.10 server is below:

  • About to connect() to zeta.maizegdb.org port 443 (#0)
  • Trying 2606:4700:20::681a:b70… Timeout
  • Trying 2606:4700:20::681a:a70… connected
  • Connected to zeta.maizegdb.org (2606:4700:20::681a:a70) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • Server certificate:
  •   subject: CN=sni.cloudflaressl.com,O="Cloudflare, Inc.",L=San Francisco,ST=CA,C=US
    
  •   start date: Mar 19 00:00:00 2020 GMT
    
  •   expire date: Oct 09 12:00:00 2020 GMT
    
  •   common name: sni.cloudflaressl.com
    
  •   issuer: CN=CloudFlare Inc ECC CA-2,O="CloudFlare, Inc.",L=San Francisco,ST=CA,C=US
    

GET /docs/testdoc.txt HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: zeta.maizegdb.org
Accept: /

< HTTP/1.1 200 OK
< Date: Wed, 10 Jun 2020 02:33:25 GMT
< Content-Type: text/plain; charset=UTF-8
< Content-Length: 8
< Connection: keep-alive
< Set-Cookie: __cfduid=d451efbe7cb42e7e9149e91a65a78af4e1591756405; expires=Fri, 10-Jul-20 02:33:25 GMT; path=/; domain=.maizegdb.org; HttpOnly; SameSite=Lax; Secure
< Last-Modified: Tue, 09 Jun 2020 22:52:32 GMT
< ETag: “2a2f2e-8-5a7ae95260c00”
< Accept-Ranges: bytes
< Vary: Origin
< CF-Cache-Status: DYNAMIC
< cf-request-id: 033dac511d00009ef13d858200000001
< Expect-CT: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
< Server: cloudflare
< CF-RAY: 5a0faffb6dba9ef1-ORD
<

You can see that the first connection attempt timed out (it took about 100 seconds to time-out, which is the default for CloudFlare’s 524 Errors). Has there been any recent changes on the CloudFlare side around June 9, 2020 that may have caused CentOS 6.X servers to have these connection timeouts? We did not have this problem as recently as June 8th.

Thank you for any assistance!!!

That shouldn’t be related. The default timeout with a 524 only applies when the connection has been already established and when the origin does not respond. In your case it seems the TCP connection itself didn’t work.

When you experience the timeouts, can you ping that host?

Also, you seem to be using IPv6, could you check if you ever experience timeouts as well when you force IPv4?

THANK YOU SANDRO! I did not experience timeouts when forcing curl to resolve to the IPv4 address. I was able to solve this issue at the OS level by configuring /etc/gai.conf to prefer IPv4 addresses over IPv6 when both are returned in a DNS lookup.

However, I would still like to figure out why our CentOS 6 servers are sometimes timing out when resolving to an IPv6 address. In the above curl output it timed out when trying to connect to 2606:4700:20::681a:b70, but I have observed it successfully connecting to this same IP address on the first attempt when running the same curl command again. Do you have any thoughts about what could be causing these intermittent timeouts to IPv6 addresses? This issue just started happening yesterday (June 9) on all of our CentOS 6 machines and I’m not sure what could have changed.

Thanks again!

That’s why I asked if you can ping the machine when experiencing the timeouts.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.