Turkey is blocking some websites using cloudflare with "SSL handshake failed" error page

this was happening for a long time now, but my isp was fine, yesterday i lost my connection for about 15 hours and now my connection is routing from a different path (checked with tracert). switched from superonline path to turktelekom path and now i can’t access the blocked websites. also my ping to Cloudflare servers went down from 40ms to 10ms, guess i was routing through the european Cloudflare servers before the change and now connecting to Cloudflare istanbul servers. i think the problem is caused by the Cloudflare istanbul, are you guys cooperating with the turkish government and blocking the websites they want? is this the expected behavior?

the domain is working, its resolving and i can connect to the Cloudflare, but getting a Cloudflare error page. i can confirm that the host is fine, its accessable with other vpns but even if i activate Cloudflare warp, i get the same error page. somehow turkey is messing up with the internal Cloudflare connections. the censorship happens during the Cloudflare-host connection. your istanbul servers can’t communicate properly with the blocked websites.

if this is an intentional censorship please add an actual “connection blocked” page instead of misleading error page. if its not intentional please investigate the problem and fix it. maybe give us an option to choose a server in warp client for a workaround for now? if i could use the european servers instead of Cloudflare istanbul manually, it could work.

The SSL is failing to validate. This means that something is causing the certificate to fail and if it works from the EU then it is likely that something in Turkey is changing or failing the SSL in between Cloudflare and pastebin’s servers. There is nothing that Cloudflare can do to resolve this and it must be resolved by the Turkeist ISPs.

the problem is the communication between Cloudflare istanbul servers and the host. edge certificate is okay, Cloudflare istanbul can’t handshake with the origin server, turkey is somehow controlling the origin certificate Cloudflare servers are getting from the origin host. turkish government or the isp Cloudflare istanbul using is messing up with Cloudflare’s internal connections which seems dangerous tbh. they’re already using methods like dns hijacking etc. but now Cloudflare is allowing them to control their internal connections as well, so as a client even if i use the warp and all my traffic goes through the Cloudflare network, government has some control over it. if they can manipulate the certificate who knows what else they can do? its a security issue for Cloudflare, they don’t have a full control over their istanbul servers. maybe Cloudflare could route the traffic from european nodes if the closest server fails? a failover system would be a solution imo. so if the website is not blocked, it’ll connect through the istanbul servers but if those servers get an error it’ll jump to the eu servers and try again, it’ll add some latency but that doesn’t matter for basic web browsing.

turkish isps won’t resolve this, its intentional on their part… its censorship.

This is not happening at all. The connection is being messed with after it leaves Cloudflare’s servers.

This is up to the owner of the site. They would need to set up load balancing in order to get it to work and not something Cloudflare will setup for them.

If there is intentional censorship then Cloudflare can’t bypass it, you should consider a VPN or WARP.

This is not happening at all. The connection is being messed with after it leaves Cloudflare’s servers.

its the Cloudflare error page. i can connect to the Cloudflare servers, i would get a browser error that i could ignore and continue if it was the edge certificate issue. Cloudflare istanbul servers can’t communicate with the pastebin host server. its the problem in internal Cloudflare network.

This is up to the owner of the site. They would need to set up load balancing in order to get it to work and not something Cloudflare will setup for them.

Cloudflare is always routing your traffic from the “optimal” in most cases the closest Cloudflare servers. in this case its the istanbul server which can’t connect to the said website. Cloudflare does re-route those servers whenever there’s an outage. you can see some servers are re-routed right now https://www.cloudflarestatus.com/ they could do the same as a failover, if the primary Cloudflare server can’t connect to the host, a secondary server should attempt before giving us an error page. its not up to the site owner.

If there is intentional censorship then Cloudflare can’t bypass it,

they can’t directly block the websites using Cloudflare, they can’t easily block the domain if you’re using dns over https or 1.1.1.1 app and if you’re using warp/vpn they probably can’t block it at all… and they can’t block the website by ip address either since the origin ip is hidden and all they can see is the Cloudflare ips. so they’re messing up the internal Cloudflare connections here.

you should consider a VPN or WARP.
as i said, warp doesn’t work either. getting the same error page even with warp activated. its a problem between the Cloudflare istanbul and the host.
even if i use a vpn with turkish servers, it gets the same error as its routing through Cloudflare istanbul. istanbul servers are the problem here.

again…

The connection is being messed with after it leaves Cloudflare’s servers.

if that was the case, i wouldn’t get the same error with warp activated. all my connection goes through the Cloudflare network with warp. if you can, just check the logs of your istanbul server and see if there was a successful connection with the pastebin in the last few months.

even my tunnel connection shows up as “degraded” after the change. didn’t notice any issues yet, the page doesn’t provide any detailed information so i don’t know what’s degraded here… but i never had this problem when my internet connection was routed through the european servers, there’s something wrong with the istanbul servers.

i’m using a different isp at work and that was always routed through the istanbul servers and had the same issues but i just didn’t care since it wasn’t as important. now they changed my home connection’s route as well. these issues were happening for a long time now it’s not something new.

here some other examples

Yes, it is the Cloudflare error page. It is because Cloudflare is not able to establish a connection with the origin server securely. If someone had taken over Cloudflare’s servers, why would they refuse to connect to a origin server they wanted to control access to?

This is Argo. Argo (docs) routes to the quickest path between Cloudflare and your origin. It doesn’t care if your origin is secure or reachable, it just wants to connect to the IP quickly.

Are you saying that Cloudflare should fail over an entire datacenter because some origins are unreachable? As far as Cloudflare is concerned, the datacenter is fine and has no reason to re-route it.

There is nothing wrong with the Istanbul datacenter. There is something that Turkish ISPs after the connection leaves Cloudflare’s servers that is messing with connections.

All of these examples show that Turkish ISPs are messing with the connections and has nothing to do with Cloudflare. As if people were able to intercept the connections on Cloudflare’s servers, they wouldn’t be blocking invalid SSL.

1 Like

All of these examples show that Turkish ISPs are messing with the connections and has nothing to do with Cloudflare. As if people were able to intercept the connections on Cloudflare’s servers, they wouldn’t be blocking invalid SSL.

the ISPs, in this case turk telekom is messing with the Cloudflare’s connection. Cloudflare istanbul’s connection with the origin servers is censored, not my connection with the Cloudflare servers…

here’s what 0xbkt says which is correct.

Any traffic sent out over AS6663 by Cloudflare to the origin can be affected

so Cloudflare should either ditch the AS6663 (turk telekom) or make them stop messing with their connections to the origin servers. european datacenters were using seabone for example. that was fine.

Are you saying that Cloudflare should fail over an entire datacenter because some origins are unreachable?

i’m saying that Cloudflare should fail over the data center for the affected websites, if the istanbul server can connect to the origin that’s fine. but on error, it should attempt again using a different datacenter before giving us an error.

There is nothing wrong with the Istanbul datacenter. There is something that Turkish ISPs after the connection leaves Cloudflare’s servers that is messing with connections.

by "after the connection leaves Cloudflare’s servers " do you mean the connection between client and Cloudflare? that’s wrong… its the connection between Cloudflare and the origin server which Cloudflare should have full control, but it doesn’t.

If someone had taken over Cloudflare’s servers, why would they refuse to connect to a origin server they wanted to control access to?

they didn’t take the control of Cloudflare servers, they have some control over Cloudflare istanbul’s internet connection. they can’t do anything except blocking the connection by failing the ssl unless they can get access to the pastebin’s private keys.

Cloudflare doesn’t know to failover. Failovers/load balancing is set on a per-domain basis. If a server only exists in Turkey, then what is Cloudflare supposed to fail over to?

See this blog post

This is what I mean (apologies for the quick diagram)


and this section is outside of Cloudflare’s control and where the connection is being messed with (not saying they are messing with pastebin’s server but that the origin servers are outside Cloudflare’s control).

This is absolutely correct. Once a connection has left Cloudflare any ISP or government organization is able to mess with and disrupt connections including MITMing.

1 Like

well Cloudflare does have some control here, kinda. not directly, sure…

like changing their isp for istanbul servers? forcing them to stop these actions or choosing an alternative? i assume Cloudflare is paying a lot of money for that huge traffic, they should have some bargaining power over the isp. and it should be their right to be able to access their origin servers uninterrupted. if Cloudflare is willingly accepting this censorship then should be clear about it. just put a new error page saying its blocked by the government etc. current error page is misleading as it says there’s a problem with the origin server(in this case, pastebin for example). but the actual problem is Cloudflare’s isp, not the origin server.

or just simply letting us choose the colocation-center in 1.1.1.1/warp app would be a quick and easy workaround for the people that actually care and a bit tech savvy. i know it can be abused to bypass geo-restricted content but you guys are already adding the real user ip in the request headers while using warp so its up to the content owners, they can work with the real ip if they want, instead of the ip assigned by the warp. i know that warp works like a vpn but its not an actual vpn replacement since it doesn’t intend to hide user ip. or at least giving us an option to choose between 3 best options instead of automatically connecting to the closest datacenter? it doesn’t have to let people choose a country from a different continent lol… i just want an option to be able to browse the internet freely.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.