Ponywka ☮Jun 20, 2025
RKN, what the hay?
Why I can open equestria.social only using tunnels?
Show threadPonywka ☮
@C_Chell Please, disable TLSv1.3. It's blocked in Russia! Only way to use Equestria Social - it's say browser to not use TLSv1.3. Firefox for example didn't trying to switch TLS version to 1.2 if it fails on 1.3.
Jun 20, 2025 at 3:12pmWeb
Show threadC_ChellJun 20, 2025
@Ponywka Too secure, I think ...
I will check if I can disable it only on EQS and not on my other websites (or best, if I can only tag Russian IPs to use a specific configuration, I need to check with NGinx documentation)
Show threadPonywka ☮Jun 20, 2025
@C_Chell TLSv1.3 is more secure than TLSv1.2. For example - TLSv1.3 has encrypted SNI header than TLSv1.2. "Russian Firewall" using unencrypted SNI to see what website are you trying to connect. If it has in blacklisted - your connection just dropping. But also if it's encrypted that means the Russian firewall hardware (we call it "ТСПУ" - "technical means of countering threats") can't read it and only one thing to resolve this problem from RKN side - it's just drop any TLSv1.3 connections.
Show threadC_ChellJun 20, 2025
@Ponywka Maybe with the help of
https://stackoverflow.com/questions/57536095/how-to-make-nginx-work-on-tls1-2-instead-of-tls1-3-for-specific-ip
It should be possible.
Show thread𐑛𐑦𐑕𐑣𐑸𐑥𐑩𐑯𐑦 | dɪsˈhɑːmənɪ | 異議の元素 Jun 20, 2025
@C_Chell @Ponywka I'm now more convinced that it's a browser problem. RKN has been looking for ways to cripple ECH, and Chrome has been selectively embedding fake ECH handshakes into TLS 1.3 connections. It's only a theory though, but disabling ECH support on your browsers outright could be a key to solve the issue.
Or maybe RKN just messed something up.
Show threadC_ChellJun 20, 2025

@Ponywka As temporary change, I think it's possible to disable TLS1.3 in your browser directly, not the best but for many websites you will be blocked for the same reason.

(Anyway, I will check on what I can do for this problem)