Packet Tunnel Provider - Writing SSL3_RT_ALERT 2 bytes

I've implemented a VPN app with Packet Tunnel Provider for macOS.

To send the packets, I'm using BSD sockets.

I noticed that when sending big files (1GB), in most of the time the uploading fails, and the relevant errors I see at the console are the following errors:



[Extension com.myExtension]: IPC detached
NESMVPNSession[Primary Tunnel:My Company - myUserName:6EF9650B-D1DA-418B-B617-AE0874DDCBD3:(null)] in state
    NESMVPNSessionStateRunning: plugin NEVPNTunnelPlugin(com.MyContainingApp]) did detach from IPC
[NOTICE] : networking grace period is over for  #lifetime

boringssl_context_message_handler(2257) [C6.1:2][0x1048aeac0] Writing SSL3_RT_ALERT 2 bytes
boringssl_context_handle_warning_alert(1892) [C6.1:2][0x1048aeac0] write alert, level: warning, description: close notify
boringssl_session_disconnect(539) [C6.1:2][0x1048aeac0] SSL_shutdown 0
nw_flow_disconnected [C6.1 20.185.73.23:443 cancelled socket-flow ((null))] Output protocol disconnected
nw_connection_report_state_with_handler_on_nw_queue [C6] reporting state cancelled
Connection 6: destroyed
nw_protocol_boringssl_remove_input_handler(1012) [C6.1:2][0x1048aeac0] nw_protocol_boringssl_remove_input_handler forced true
nw_protocol_boringssl_remove_input_handler(1030) [C6.1:2][0x1048aeac0] Transferring nw_protocol_boringssl_t handle back into ARC for autorelease

So I'm guessing it's related to "did detach from IPC" or to "SSL3_RT_ALERT 2 bytes", but what's the next step here? How can I try to figure out what's causing this?


P.S: It seems that the VPN stays connected and functional, it's just the uploading that fails.

Up vote post of roee84 Down vote post of roee84
1.9k views
Posted by
roee84
Reply
Add a Comment

Replies

Yes, the SSL3_RT_ALERT is most likely a result of the IPC detachement. An IPC detachment notice can mean a few different things; for example that the VPN connection failed to reconnect during to satisfy the on-demand rules, or that the VPN session itself actually timed out. One thing I would recommend doing is taking a rolling packet trace of your VPN connection to server while uploading the file. This should tell you which side is hanging up the connection and cut down on the data you need to record to figure this out.



Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Thanks, I'll do it, but also - when trying to reproduce I saw those msgs coming from the kernel:
X86PlatformPlugin::evaluateSoftLimit NOT calling cgDispatchCallback

It appeared many times, is it also related?
And maybe "playing" with the MTU might help here?

Posted by
roee84
Up vote reply of roee84 Down vote reply of roee84
Add a Comment

I dont believe these calls are related as they look to be CPU and GPU related.

| X86PlatformPlugin::evaluateSoftLimit NOT calling cgDispatchCallback


How does you memory look during this transfer?


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

The memory at the extension reached to 16.5 MB

Also, those msgs appeared again (multiple times, as in the other thread I posted): utun_output - ctl_enqueuembuf failed: 55


Edit: According to this post https://forums.developer.apple.com/thread/73148

the memory limit for iOS is 15MB, but

1. It doesn't say what's the limit for macOS

2. The app/extension didn't crash, everything still works, it's just the upload that stop at the middle without any error.

Posted by
roee84
Up vote reply of roee84 Down vote reply of roee84
Add a Comment

Right, I may have mentioned before but the message:

"utun_output - ctl_enqueuembuf failed: 55"


Refers to an ENOBUFS error (55) on your control socket for utun interface when data is received but your read queue on the socket is full.

Off the top of my head I am not sure on the memory limits for Network Extensions on macOS.

I would recommend investigating the memory handling here regardless to see if it has an impact.


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

I think you are right, and it's related to memory issues -

I saw cases where the Memory keeps increasing (slowly, but still). At the 'View Memory Graph Hierarchy' - there are a huge number os Malloc Blocks.

However, I can't find a leak anywhere. All the buffers I'm using (including for sending/receiving data) are fixed in size.


From the other hand, at the Console I didn't see any message about killing my app.

And I noticed that sometime, when sending a big file (1GB), the memory climbed up to 12MB, and I saw the infamous 'boringssl_context_message_handler(2257) [C8.1:2][0x10484dea0] Writing SSL3_RT_ALERT 2 bytes'

'boringssl_context_handle_warning_alert(1892) [C8.1:2][0x10484dea0] write alert, level: warning, description: close notify' messages,

but AFAIK, 12MB is not the memory limit for the extension, so I can't tell why it failed, even if there's a leak.


Which steps should I take to debug it? I already decreased the memory usage, but it didn't help.


P.S - the CPU also reached 80% in some cases

Posted by
roee84
Up vote reply of roee84 Down vote reply of roee84
Add a Comment

Interesting. What does the internet connection look like when you are doing this? Are you seeing a lot of retransmissions? If so, I am wondering if you are running into a head of line blocking issue and this is causing your memory to queue up and rise over time because previous transmissions are being re-sent. I would take a look at a packet trace on this for more information on retransmissions and then look at the other side to see if they are waiting on a certain amount of data to come through before they flush their buffers on the connection.


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

I'll try the packet trace, but before that, I missed something at your other answer -

"utun_output - ctl_enqueuembuf failed: 55 Refers to an ENOBUFS error (55) on your control socket for utun interface when data is received but your read queue on the socket is full."


Which read queue is full?

The one related to the packets coming from packetFlow.readPackets? So I'm asking the OS for more packets where I shouldn't?

Or is the buffer to which I'm reading the responses from the network? In that case, if I'll empty the buffer before sening new packets to the network it should help, right?


Becuase I think it's all related to this error, I'll try to handle it first.
Edit: For sending/receiving traffic, I'm creating a pipe. Is it possible to change its size? Something like F_SETPIPE_SZ? Would it help?

int pipe_fds[2];
int ret = pipe(pipe_fds);
fcntl(pipe_fds[0], soemthing like F_SETPIPE_SZ, 64 * 1024);
Posted by
roee84
Up vote reply of roee84 Down vote reply of roee84
Add a Comment

Yes, this is the one. If there are retransmissions on either side check that you are not building up data on either side before it's flushed.

| Or is the buffer to which I'm reading the responses from the network? In that case, if

| I'll empty the buffer before sening new packets to the network it should help, right?


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

I am wondering if anyone here came to any solution in regard to upload issue through packet tunnel.

During uploading on high speed network, we always get this error “utun_output - ctl_enqueuembuf failed: 55”. Download is fine. We tried tuning some of kernel buffer sizes (going through “sysctl -a”) but no success.

We're testing on macOS Monterey ver. 12.2 Apple M1 chip.

Any response is greatly appreciated.

Thanks,

Dankira.

Posted by
dankira
Up vote reply of dankira Down vote reply of dankira
Add a Comment