<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Ishan,<div class="">In those two measurements, it certainly seems that most probes are connecting to Mega/Telegram and obtaining the correct TLS certificates.</div><div class=""><br class=""></div><div class="">To verify this on your machine, use openssl and ensure the SHA1 fingerprints match those reported in the Atlas measurements:</div><div class=""><br class=""></div><div class="">$ echo "Q" | openssl s_client -connect <a href="http://mega.nz:443" class="">mega.nz:443</a> -servername <a href="http://mega.nz" class="">mega.nz</a> | openssl x509 -noout -fingerprint -sha1</div><div class=""><br class=""></div><div class="">$ echo "Q" | openssl s_client -connect <a href="http://t.me:443" class="">t.me:443</a> -servername <a href="http://t.me" class="">t.me</a> | openssl x509 -noout -fingerprint -sha1</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">If you don’t get matching fingerprints there, have a look whether the IP addresses returned by DNS are correct:</div><div class=""><br class=""></div><div class="">$ host <a href="http://mega.nz" class="">mega.nz</a></div><div class=""><br class=""></div><div class="">$ host <a href="http://t.me" class="">t.me</a><br class=""><div class=""><br class="webkit-block-placeholder"></div><div class=""><br class="webkit-block-placeholder"></div><div class="">If that’s all fine, then you should also be able to load the addresses with curl:</div><div class=""><br class=""></div><div class="">$ curl -i <a href="https://mega.nz" class="">https://mega.nz</a></div><div class=""><br class=""></div><div class="">$ curl -i <a href="https://t.me" class="">https://t.me</a></div><div class=""><br class=""></div><div class="">For mega, the expected response is 200 OK, and for <a href="http://t.me" class="">t.me</a>, a 302 redirect to <a href="http://telegram.org" class="">telegram.org</a></div><div class=""><br class="webkit-block-placeholder"></div><div class=""><br class=""></div><div class="">Let us know how far you get. There’s many ways to prevent access to a site: blocking or modifying DNS, not routing traffic to certain IPs, intercepting HTTP, etc. It’s possible that whatever method is used here would block say, web browser access but not a probe TLS connection, though that would be a little odd.</div><div class=""><br class=""></div><div class="">Another thing to note is that both mega and telegram publish IPv6 records for those hostnames. The measurements you ran that showed a working connection were set to IPv4-only. It may be the case that IPv4 access is not blocked, however IPv6 access is.</div><div class=""><br class=""></div><div class="">
<div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class="">Cameron Steel<br class=""><a href="mailto:tugzrida@gmail.com" class="">tugzrida@gmail.com</a><br class=""></div></div></div></div></div></div></div></div></div></div></div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 25 Sep 2021, at 02:26, Ishan Jain <<a href="mailto:ishanjain28@gmail.com" class="">ishanjain28@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hi there,<br class=""><br class=""><br class="">There are some sites that are being blocked by ISPs here in India. The two cases I checked are,<br class=""><br class="">1. <a href="http://mega.nz" class="">mega.nz</a><br class=""><br class="">2. <a href="http://t.me" class="">t.me</a><br class=""><br class="">In some cases, It's the Consumer ISP that's blocking access to these domains and in other cases it's the upstream providers like Tata(AS17908) that are blocking access to these sites.<br class=""><br class="">To figure out how many probes were effected, I ran 2 TLS tests. The results of those tests are here,<br class=""><br class="">1. <a href="https://atlas.ripe.net/measurements/32358061/" class="">https://atlas.ripe.net/measurements/32358061/</a><br class=""><br class="">2. <a href="https://atlas.ripe.net/measurements/32358052/" class="">https://atlas.ripe.net/measurements/32358052/</a><br class=""><br class=""><br class="">As you'll see that almost every probe received correct TLS Certificate with <a href="http://mega.nz" class="">mega.nz</a> and excluding 4-5 probes, All the other probes received correct certificates for <a href="http://t.me" class="">t.me</a>. These measurements include 2 probes that I run in AS9829 and AS45609. Somehow, Both of my probes reported that they received the correct/valid certificate in both of these measurement when it doesn't appear to be true.<br class=""><br class="">I am presented with connection closed error when accessing these sites over HTTP and a connection reset error when accessing these sites over HTTPS over both WANs used by the two probes.<br class=""><br class=""><br class="">Have I misunderstood TLS tests? I am not sure what is happening here and I really appreciate any insight I can get on these results. I have also included the relevant section from the logs of 1 of my probes.<br class=""><br class=""><br class="">atlas_run: looking for 'evsslgetcert -4 -p 443 -h <a href="http://mega.nz" class="">mega.nz</a> -A "32358061" 66.203.127.18'<br class="">eooqd: found cmd 'evsslgetcert' for 'evsslgetcert -4 -p 443 -h <a href="http://mega.nz" class="">mega.nz</a> -A "32358061" 66.203.127.18'<br class="">eooqd: atlas_run: argv[0] = 'evsslgetcert'<br class="">eooqd: atlas_run: argv[1] = '-4'<br class="">eooqd: atlas_run: argv[2] = '-p'<br class="">eooqd: atlas_run: argv[3] = '443'<br class="">eooqd: atlas_run: argv[4] = '-h'<br class="">eooqd: atlas_run: argv[5] = '<a href="http://mega.nz" class="">mega.nz</a>'<br class="">eooqd: atlas_run: argv[6] = '-A'<br class="">eooqd: atlas_run: argv[7] = '32358061'<br class="">eooqd: atlas_run: argv[8] = '66.203.127.18'<br class="">eooqd: atlas_run: argv[9] = '-O'<br class="">eooqd: atlas_run: argv[10] = '/var/atlas-probe/data/new/ooq.2'<br class="">eooqd: init returned 0x738200 for 'evsslgetcert -4 -p 443 -h <a href="http://mega.nz" class="">mega.nz</a> -A "32358061" 66.203.127.18'<br class="">eooqd: check_resolv_conf2: no change (time 1632496526)<br class="">msgbuf_read: buf_read failed<br class="">ooqd: command is done for cmdstate 0x738200<br class="">sslgetcert_delete: state 0x738200, index 0, busy 0<br class="">total size in dir: 5982<br class="">httppost: before getaddrinfo<br class="">httppost: before connect<br class="">httppost: sending request<br class="">posting file '/var/atlas-probe/data/out/ooq/2'<br class="">httppost: getting result<br class="">httppost: getting reply headers<br class="">httppost: got line 'Server: nginx'<br class="">httppost: got line 'Date: Fri, 24 Sep 2021 15:56:32 GMT'<br class="">httppost: got line 'Content-Type: text/plain'<br class="">httppost: got line 'Transfer-Encoding: chunked'<br class="">httppost: got line 'Connection: close'<br class="">httppost: writing output<br class="">httppost: chunked 1, content_length -1<br class="">httppost: got chunk line '3'<br class="">httppost: chunk data 'OK<br class=""><br class=""><br class=""><br class="">Regards<br class="">Ishan Jain<br class=""><br class=""><br class=""></div></div></blockquote></div><br class=""></div></body></html>