SSL_ERROR_RX_RECORD_TOO_LONG errors in Chrome and Firefox, and MacOS curl

Hi! I’m on MacOS Sonoma 14.4.1, and when I try to load many Spaces, such as MusicGen Web - a Hugging Face Space by Xenova, I get SSL_ERROR_RX_RECORD_TOO_LONG errors in Chrome and Firefox, so I have to use Safari, which I don’t otherwise.

CLI system curl shows the same error:

$ curl -IHEAD https://xenova-musicgen-web.static.hf.space/index.html
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

Any ideas on what in your SSL config might be causing this?

I am experiencing the same thing on FF. Illusion Diffusion IllusionDiffusion - a Hugging Face Space by AP123

Although, another user has shared an image on the community section suggesting that they have used it recently.

Same here. I am experiencing the same error with a space I created recently.

Secure Connection Failed Error code: SSL_ERROR_RX_RECORD_TOO_LONG.

I tried to restart the space and even factory rebuilt it, but still not working. Any ideas to fix this error?

I’m running on Linux and both chrome and firefox get this as well. Started last week.

Are there any updates on this, @sgugger?

Same here.

Hi everyone, a few folks have been experiencing this error; it seems to be related to ISP blocking. Could you please try and see if it’s related to Safe Browse?

curl -v http://test.hf.space/

https://discussions.apple.com/thread/250969982?sortBy=best

You are totally right, @radames. It is related to ISP blocking. I just changed my Internet provider, and I was able to access the Hugging Face Spaces. Thank you.

1 Like

As I mentioned above, I am seeing an error in curl.

$ curl -v https://test.hf.space/
*   Trying 52.206.118.51:443...
* Connected to test.hf.space (52.206.118.51) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

Unfortunately I have Comcast internet here in the US with no alternative.

could you also please try without s
curl -v http://test.hf.space/

Sure! I get a 301 redirect to HTTPS including the port number.

$ curl -v http://test.hf.space/
*   Trying 54.83.186.239:80...
* Connected to test.hf.space (54.83.186.239) port 80
> GET / HTTP/1.1
> Host: test.hf.space
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: awselb/2.0
< Date: Mon, 15 Apr 2024 20:12:01 GMT
< Content-Type: text/html
< Content-Length: 134
< Connection: keep-alive
< Location: https://test.hf.space:443/
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
</body>
</html>
* Connection #0 to host test.hf.space left intact

I got a new one today; my first load of another Space I wanted to try gave me SSL_ERROR_BAD_MAC_READ before returning a number of SSL_ERROR_RX_RECORD_TOO_LONG on subsequent loads.

Here’s the output of my openssl CLI binary trying to connect.

$ openssl s_client -connect huggingfacem4-idefics-8b.hf.space:443
Connecting to 54.83.186.239
CONNECTED(00000007)
C0FAF6FC01000000:error:0A0000C6:SSL routines:tls_get_more_records:packet length too long:ssl/record/methods/tls_common.c:655:
C0FAF6FC01000000:error:0A000139:SSL routines::record layer failure:ssl/record/rec_layer_s3.c:650:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 348 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---