Bug: Intermittent TLS handshake failure connecting to memclaude.thaicloud.ai

[pitimon]

Summary

memforge MCP tools fail to connect to memclaude.thaicloud.ai due to intermittent TLS handshake failures at the Cloudflare edge. This affects all TLS clients (Bun, Node.js, curl, openssl) from the client machine.

Symptoms

• mem_status reports: Connectivity: Failed - unknown certificate verification error
• All memforge MCP tools (search, semantic_search, etc.) fail
• db-watcher sync works intermittently (~50% success rate)

Observed behavior

# Bun (used by memforge MCP)
error: unknown certificate verification error
  path: "https://memclaude.thaicloud.ai/api/sync/status"
  code: "UNKNOWN_CERTIFICATE_VERIFICATION_ERROR"

# curl - intermittent (~50% fail)
OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to memclaude.thaicloud.ai:443

# openssl s_client - no peer certificate
SSL handshake has read 0 bytes and written 314 bytes
no peer certificate available

Diagnosis

• The issue is not client-side — affects curl, Bun, Node.js, and raw openssl equally
• openssl s_client receives 0 bytes from server during TLS handshake
• All 3 Cloudflare IPs (104.26.10.75, 104.26.11.75, 172.67.70.177) show same behavior
• Success is intermittent and time-dependent, not IP-dependent

Suggested investigation (server-side)

1. Check Cloudflare Tunnel health and connection stability to origin
2. Verify SSL/TLS mode in Cloudflare dashboard (recommend: Full Strict)
3. Check if Encrypted Client Hello (ECH) is enabled — may cause issues with older TLS stacks
4. Review Cloudflare Edge Certificates status and expiration
5. Check origin server load and responsiveness

Environment

• Client OS: Debian bullseye (OpenSSL 1.1.1w)
• Bun: 1.3.9 (BoringSSL)
• Node.js: v24.14.0
• curl: 7.74.0
• memforge-client: 1.1.0
• claude-mem: 10.4.0

[pitimon]

Status Update

This issue is a server-side/infrastructure problem — the TLS handshake failure originates at the Cloudflare edge, not in the memforge client code. All TLS clients (Bun, Node.js, curl, openssl) are equally affected, confirming the root cause is upstream.

What the client can do (already done in v1.2.1)

The security hardening in v1.2.1 (#14) added URL validation and connectivity checks, but the TLS issue itself requires server-side investigation:

1. Cloudflare Tunnel health and connection stability to origin
2. SSL/TLS mode in Cloudflare dashboard (recommend: Full Strict)
3. Encrypted Client Hello (ECH) — may cause issues with older TLS stacks
4. Edge Certificate status and expiration
5. Origin server load and responsiveness

Workaround

When TLS fails intermittently, retry usually succeeds. The db-watcher sync already has retry logic built in (~50% success rate confirms intermittent nature).

This issue needs attention from whoever manages the memclaude.thaicloud.ai Cloudflare configuration.