Link Previews not Loading on some Networks

[Xashyar]

• [x] I have searched open and closed issues for duplicates

---

Bug Description

Although Reddit and Instagram aren't censored on my network (while Imgur, Youtube and Pinterest are), I'm not able to receive their link previews unless I switch on a VPN. Reddit and Instagram are fully accessible from the browser on the same network/device

Steps to Reproduce

1. check to see if this sample link is accessible from the browser
2. if so, copy & paste in Signal to get link previews
3. watch previews aren't loaded

Expected Result: Reddit and Instagram Previews should load as usual

Screenshots

Platform Info

Signal Version: 1.25.1

Operating System: Windows 10

Link to Debug Log

Several GET messages without response

INFO  2019-05-17T01:28:15.818Z GET [REDACTED_URL]
.
.
INFO  2019-05-17T01:28:28.742Z SQL channel job 135 (updateConversation) succeeded in 24ms
INFO  2019-05-17T01:28:29.193Z GET [REDACTED_URL]
INFO  2019-05-17T01:28:29.730Z SQL channel job 138 (updateConversation) succeeded in 25ms

INFO  2019-05-17T01:29:37.135Z Sending a keepalive message
INFO  2019-05-17T01:29:55.909Z Remove all notifications
.
.
INFO  2019-05-17T01:29:58.012Z GET [REDACTED_URL]
INFO  2019-05-17T01:29:58.548Z SQL channel job 155 (updateConversation) succeeded in 25ms
INFO  2019-05-17T01:30:00.341Z SQL channel job 158 (updateConversation) succeeded in 28ms
INFO  2019-05-17T01:30:01.545Z SQL channel job 161 (updateConversation) succeeded in 23ms

[Xashyar]

ping @five-c-d

[scottnonnenberg-signal]

Those requests look to be hanging, never getting a response from the Signal proxy.

Are you using the command-line option to specify a proxy URL? (note that this is the kind of thing I could tell from your log)

Which URLs do work for link previews?

[Xashyar]

Are you using the command-line option to specify a proxy URL? (note that this is the kind of thing I could tell from your log)

no just did a copied & pasted from the debug log and did some edits.

Which URLs do work for link previews?

Nothing, so it might be that the Signal Proxy is being blocked?

[five-c-d]

Seems like this has also not worked on the signal4smartphone of the same == https://community.signalusers.org/t/beta-feedback-for-the-upcoming-android-4-33-release/5880/8

Which URLs do work for link previews?

It sounds like, if Xashyar has the VPN turned on, Reddit+Instagram works (e.g. the test-URL in the OP), but if they turn off the VPN, then Reddit+Instagram stops working.

Youtube+Pinterest+Imgur would ... even if the link-preview succeeded ... fail to fully work, because those websites themselves are blocked by the censorship. The hypothesis is, maybe link-previews of reddit+instagram fail to work, because signal-proxy-URL is being censored, whereas for whatever reason, signal-server-itself is not being censored??

[Xashyar]

because signal-proxy-URL is being censored, whereas for whatever reason, signal-server-itself is not being censored??

Yess.. thanks for the clarification..

how could I get to see whether it's the signal-proxy-URL which is being blocked?

[scottnonnenberg-signal]

There's a contentProxy URL in this config file: https://github.com/signalapp/Signal-Desktop/blob/development/config/default.json

[Xashyar]

There's a contentProxy URL in this config file: https://github.com/signalapp/Signal-Desktop/blob/development/config/default.json

I am able to reach the URL using ICMP, but still previews won't load.

Pinging contentproxy.signal.org [107.178.250.75] with 32 bytes of data:
Reply from 107.178.250.75: bytes=32 time=178ms TTL=48

Same thing is true, for all other clients, iOS & Android on virtually all local Carriers & ISPs.

[scottnonnenberg-signal]

How is your VPN configured? How exactly do you start Signal Desktop?

[Xashyar]

How is your VPN configured? How exactly do you start Signal Desktop?

I'm not sure if that's related to VPN, Link Previews work fine with VPN Enabled. The issue that I'm describing is not limited to, but includes Signal Desktop as well (same problem happens on Android & iOS).

• I pinged the content proxy server without any VPN.

[five-c-d]

in this config file:

"contentProxyUrl": "http://contentproxy.signal.org:443"

Since it is port 443, should it not be HTTPS at the front, not HTTP? Dunno if that would cause a hiccup, that would keep link-previews from working, but seems worth fixing so that there is no unencrypted initial handshake (even if contentproxy refuses to do anything but https should save a few milliseconds by telling the client to start out with https, right?).

If ping is working, but port 443 is not working, the next thing that comes to mind is some sort of certificate problem... is there an intermediary in the chain, or an OCSP or whatever, that signal4desktop is attempting to connect with, but is blocked in Xashyar's country? Youtube is blocked there, which is a google property...

Pinging contentproxy.signal.org [107.178.250.75]

This reverses to "75.250.178.107.bc.googleusercontent.com" aka somewhere in GCP, does youtube have similar range or something, that would get this censored for tcp/ip traffic, but permit icmp/ip to get through for whatever reason? Is the upstream cert of contentProxy signed by google or youtube or doubleclick or something? Maybe the problem is not government-censorship, but google self-censoring outbound tcp/ip traffic to Xashyar's country or something? Very odd, not sure how to figure out where the problem is rooted at

@Xashyar when you are on your PC can you try running cURL like this ==

$ curl -iv https://107.178.250.75:443

This will try to perform the HTTPS handshake, not sure if it will work/help though.

[Xashyar]

Without VPN Enabled:

``` * Rebuilt URL to: https://107.178.250.75:443/ * Trying 107.178.250.75... * TCP_NODELAY set * Connected to 107.178.250.75 (107.178.250.75) port 443 (#0) * schannel: SSL/TLS connection with 107.178.250.75 port 443 (step 1/3) * schannel: checking server certificate revocation * schannel: using IP address, SNI is not supported by OS. * schannel: sending initial handshake data: sending 156 bytes... * schannel: sent initial handshake data: sent 156 bytes * schannel: SSL/TLS connection with 107.178.250.75 port 443 (step 2/3) * schannel: failed to receive handshake, need more data * schannel: SSL/TLS connection with 107.178.250.75 port 443 (step 2/3) * schannel: failed to receive handshake, SSL/TLS connection failed * Closing connection 0 * schannel: shutting down SSL/TLS connection with 107.178.250.75 port 443 * schannel: clear security context handle curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed ```

With VPN (Exit Node: Europe):

``` * Rebuilt URL to: https://107.178.250.75:443/ * Trying 107.178.250.75... * TCP_NODELAY set * Connected to 107.178.250.75 (107.178.250.75) port 443 (#0) * schannel: SSL/TLS connection with 107.178.250.75 port 443 (step 1/3) * schannel: checking server certificate revocation * schannel: using IP address, SNI is not supported by OS. * schannel: sending initial handshake data: sending 156 bytes... * schannel: sent initial handshake data: sent 156 bytes * schannel: SSL/TLS connection with 107.178.250.75 port 443 (step 2/3) * schannel: failed to receive handshake, need more data * schannel: SSL/TLS connection with 107.178.250.75 port 443 (step 2/3) * schannel: encrypted data got 28 * schannel: encrypted data buffer: offset 28 length 4096 * schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid * Closing connection 0 * schannel: shutting down SSL/TLS connection with 107.178.250.75 port 443 * schannel: clear security context handle curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid ```

[Xashyar]

This reverses to "75.250.178.107.bc.googleusercontent.com" aka somewhere in GCP

If Signal's Content Proxy is located inside GCP, then it must be that GCP refuses to service certain IP ranges (inc. IRI), as other services that have moved to GCP have recently become inaccessible as well. However there's no issue receiving push notifications from FCM, which could indicate that Google is selective upon imposing restrictions of its GCM services. So given that issue could be closed. or Could it be possible to move the Content Proxy server outside of GCM to circumvent service deniability?

[five-c-d]

Just for the record, I don't get the same result, though I also am unable to fully connect (presumably just like the rest of signalapp the ContentProxy.Signal.org webserver uses pinned certs client-side). Some of the differences are caused by linux-vs-windows.

ssl3_get_record: wrong version number

``` $ curl -iv https://107.178.250.75:443 * Rebuilt URL to: https://107.178.250.75:443/ * Trying 107.178.250.75... * TCP_NODELAY set * Connected to 107.178.250.75 (107.178.250.75) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * error:1408F10B:SSL routines:ssl3_get_record:wrong version number * stopped the pause stream! * Closing connection 0 curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number ```

Internet tells me this outcome means the contentProxy is not using SSL, despite being on 443, but possibly that is my misinterpretation? or, possibly, the internet-commentary :-)

possible to move the Content Proxy server

Well, there is not a need to move the current one, but setting up another contentProxy2.signal.org which is on AWS, might make sense?

[Xashyar]

Internet tells me this outcome means the contentProxy is not using SSL, despite being on 443, but possibly that is my misinterpretation? or, possibly, the internet-commentary :-)

I was able to view this using Wireshark, and it seems it's the only instance where plaintext HTTP is used.