Hey folks,
I'm facing a frustrating issue where a website I manage, which is hosted on Shopify and runs through Cloudflare, has become inaccessible from Hungary. Here's the breakdown:
- **DNS resolution** is all good.
- **TCP connection** to port 443 goes through without a hitch.
- However, I get a reset during the **TLS handshake**, leading to browsers displaying `ERR_CONNECTION_RESET`.
- Interestingly, the site works flawlessly outside of Hungary or when I use a VPN.
It seems like this could be some sort of SNI filtering since the connection drops just after the TLS Client Hello, likely based on the domain name.
Has anyone experienced similar filtering? I'm looking for ways to get around this without needing to change the domain. I've explored options like ECH (Encrypted Client Hello), domain fronting, and tunneling, but I'm unsure what actually works in a real-world setting, especially with Shopify involved.
I suspect the Hungarian Supervisory Authority for Regulated Activities might be behind this, as they're known to block various websites. Any advice would be greatly appreciated!
2 Answers
First off, check your MTU settings and your ICMP firewall configurations, especially if you’re connecting via IPv6. Sometimes those settings can mess up the connection.
I’ve dealt with similar filtering (in a corporate context, not state-controlled). There's not much you can do on your end, really. If your web server can handle it, try enabling QUIC since some firewalls don’t filter that the same way they do TCP traffic. It could help you avoid this problem.
Going with TLS 1.3 and QUIC is a solid strategy! It's definitely tougher to filter out.