Iranian government is censoring new web sites added to Cloudflare and it only applies to HTTPS site with new Cloudflare CA: CloudFlare Inc ECC CA-2.
It’s so confusing, some new websites are accessible (like http://hamyarwp.com/) but others not! (like https://rexupload.com/). Any new website I add to my panel or colleagues, have the same issue with Universal SSL.
My Cloudflare configuration:
Always Use HTTPS: on
HTTP Strict Transport Security (HSTS): on and valid for 6 months
Minimum TLS Version: TLS 1.2
Opportunistic Encryption: on
TLS 1.3: Enabled + 0-RTT
(304) (OUT), TLS handshake, Client hello (1):
AS44244 Iran Cell Service and Communication Company: http://termbin.com/4i39
AS47796 Pardaz Gostar Ertebatat Berelian Limited Liability Company: https://termbin.com/bwwt
AS43754 Asiatech Data Transfer Inc PLC: https://termbin.com/9gqa
AS50810 Mobin Net Communication Company (Private Joint Stock): https://termbin.com/270o
AS24631 Tose’h Fanavari Ertebabat Pasargad Arian Co. PJS: https://termbin.com/c35o
AS57230 Aria Web Development LLC: https://termbin.com/lxe6
AS61173 Green Web Samaneh Novin Co Ltd: https://termbin.com/3pcq
As you can see some users in
AS43754 Asiatech can access the website and others can’t!
RIPE Atlas test result:
Minimum TLS 1.3: https://atlas.ripe.net/measurements/22693776/#!probes
Minimum TLS 1.0: https://atlas.ripe.net/measurements/22703933/#!probes
Beside these I found out another website, http://hamyarwp.com/ is mostly accessible in Iran.
I don’t know how the owner configured Cloudflare, but there is no differences in TLS handshake process, just their IP range is different and I tried to load
https://rexupload.com/ through their Cloudflare Anycast range and again I receive timeout!
curl -4svI --resolve rexupload.com:443:220.127.116.11 https://rexupload.com/
cURL --resolve failed:
AS44244 Iran Cell Service and Communication Company: https://termbin.com/2udn
Both X.509 certificates and root CA certificates are the same just letter
f in Cloudflare, for
rexupload.com is in capital
F and for
hamyarwp.com is lowercase
TLS 1.2, only TLS 1.3 + 0-RTT made no difference and OCSP stapling is working fine:
openssl s_client -connect rexupload.com:443 -tlsextdebug -status | grep -i -A 20 OCSP
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 3E742D1FCF4575047E3FC0A2873E4C43835113C6
Produced At: Sep 1 09:29:59 2019 GMT
Hash Algorithm: sha1
Issuer Name Hash: 2B0413693DF1D33D7E89CBA055CF204F9C158C9D
Issuer Key Hash: 3E742D1FCF4575047E3FC0A2873E4C43835113C6
Serial Number: 01621D1A527AF3F5AE2B4B25D4858146
Cert Status: good
This Update: Sep 1 09:29:59 2019 GMT
Next Update: Sep 8 08:44:59 2019 GMT
Signature Algorithm: ecdsa-with-SHA256
DNSSEC is configured:
In SSLlabs test, the only difference is
hamyarwp.com Doesn’t have
DNS Certification Authority Authorization (CAA) Policy
One of our Iranian users mentioned he can open
Windows 10 - 64 bit Google Chrome but can not open it via Ubuntu Linux connected to the same modem (so same public IP and ISP).
AS42337 Respina Networks & Beyond PJSC: https://termbin.com/ed4x
In this case, there may be a request that some operating systems send and it triggers governmental DPI (Deep Packet Inspection) firewall and it blocks the request but other OSs don’t send the request and they can open the website properly!
We couldn’t test ESNI because when we start cloudflared and activate ESNI on Firefox, we can not even open cloudflare.com! and this only happens to users on the same ISPs who could not open
There may be some similarities between ESNI - DNS over HTTPS and Universal SSL requests!
I will order
Dedicated SSL and let you know if that fixed the problem, but if you are from Cloudflare support team, please check
hamyarwp.com and let us know what is the difference so we can implement it on other websites.
cURL for https://hamyarwp.com/ succeeded:
AS44244 Iran Cell Service and Communication Company: https://termbin.com/5sjr
AS50810 Mobin Net Communication Company (Private Joint Stock): https://termbin.com/su2l
Thanks for reading this far, any idea and comment may be helpful.
Thanks in advance.
P.S. 1: SSL test for hamyarwp.com:443 -> https://atlas.ripe.net/measurements/22698882/#!general
P.S. 2: All old websites with
COMODO ECC Domain Validation Secure Server CA 2 like
sni81127.cloudflaressl.com are working fine, this issue is only related to new Universal SSLs.
P.S. 3: I can provide web proxy, VPN or remote Desktop from Iran to test thoroughly.