Cant Access site Form IRAN

Issue #9261 resolved
Mohammad Sarrami created an issue

Dear BitBucket team,

Recently I cant access my repository with Iranian IP Address.

Is there any new Policy to ban the service from Any Region?

Can you please let me know if I have to replace your service with some other free online services. my Email would be :

Many thanks

Comments (51)

  1. Erik van Zijst

    Is there any new Policy to ban the service from Any Region?

    I'm afraid we should ask Ahmadinejad. Can you copy paste the output of:

    $ nslookup
    $ traceroute
    $ ping

    Also, what do you see when load bitbucket up in a browser? Does it time out, or do you see a government message?

    If Iran's draconian censorship machine has indeed decided its citizens don't deserve online code hosting services, you might want to consider proxy servers or TOR.

  2. hamed gh

    I have the same problem,(I'm connecting from university and university's administrators said we didn't close any port!)

    I open with proxy(because of filtering) but It seemed proxy doesn't work for cmd!

    when I use : git push origin master It show me: error: Connection time-out while accessing med256giga/blog.git/info/refs?service=git-receive-pack fatal: HTTP request failed

    when I try $ nslookup it show me: Server: dc01.kashanu.local Address:

    Non-authoritative answer: DNS request timed out. timeout was 2 seconds. Name: Addresses:

    try : ping

    Pinging [] with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

    Ping statistics for Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    So What should I do??

  3. hamed gh

    Yes I think so (is there any other command to test?) , I can load only with proxy or vpn. If I try "ping" with VPN, everything is OK:

    Pinging [] with 32 bytes of data: Reply from bytes=32 time=129ms TTL=51 Reply from bytes=32 time=130ms TTL=51 Reply from bytes=32 time=130ms TTL=51 Reply from bytes=32 time=130ms TTL=51

    Ping statistics for Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 129ms, Maximum = 130ms, Average = 129ms

    I try "tracert":

    Tracing route to [] over a maximum of 30 hops:

    1 132 ms 131 ms 131 ms 2 139 ms 134 ms 132 ms 3 132 ms 131 ms 133 ms [] 4 132 ms 132 ms 133 ms [] 5 135 ms 133 ms 133 ms [] 6 134 ms 132 ms 132 ms [213.248.89. 38] 7 * 148 ms 146 ms 8 189 ms 133 ms 132 ms 9 134 ms 135 ms 134 ms []

    Trace complete.

    tell me what should I dO?? :(

  4. Erik van Zijst

    @hamed256giga So you can load and use the site ok (I guess you can, considering you were able to comment on this issue). If you are using a VPN then a clone should really also work. Can you paste the full shell output of the commands I mentioned above?

  5. hamed gh




    Non-authoritative answer: Name: Addresses:

  6. hamed gh


    traceroute : The term 'traceroute' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + traceroute + ~~ + CategoryInfo : ObjectNotFound: (traceroute:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException


    Tracing route to [] over a maximum of 30 hops:

    1 155 ms 156 ms 158 ms 2 155 ms 155 ms 156 ms 3 155 ms * 175 ms [] 4 155 ms 155 ms 156 ms [] 5 158 ms * 166 ms [] 6 249 ms 251 ms 256 ms [] 7 241 ms 253 ms 243 ms [] 8 277 ms 248 ms 264 ms 9 266 ms 245 ms 251 ms

    Trace complete.


    Pinging [] with 32 bytes of data: Reply from bytes=32 time=256ms TTL=56 Reply from bytes=32 time=253ms TTL=56 Reply from bytes=32 time=245ms TTL=56 Reply from bytes=32 time=243ms TTL=56

    Ping statistics for Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 243ms, Maximum = 256ms, Average = 249ms

  7. Erik van Zijst

    That all looks normal. You say you are using a proxy server because of the network censorship. It's possible these proxy servers don't play well with Git's clone requests, which are streaming. This is something you'd have to investigate / ask the proxy administrator.

    If you are on a VPN you shouldn't need any app-level proxies, in which case you could give SSH a try.

  8. Erik van Zijst

    As for VPN, you could also give TOR a try. It doesn't offwr VPN, but you could probably tunnel git SSH through it using SOCKS forwarding.

  9. Mehran Ahadi

    I have the same issue. This problem seems not to be caused by Iran Goverment Censorship. I've queried the censorship database ( and it says is not censored!

    The problem is neither with DNS lookup:

    Non-authoritative answer:

    Nor with routing:

    Tracing route to []
    over a maximum of 30 hops:
      1     1 ms     2 ms     1 ms  WiMaxCPE []
      2     *        *        *     Request timed out.
      3    71 ms   157 ms    72 ms
      4    69 ms    93 ms   358 ms
      5    89 ms   284 ms   127 ms
      6    70 ms    64 ms   103 ms
      7  1908 ms   228 ms   162 ms
      8     *        *        *     Request timed out.
      9    80 ms    72 ms    74 ms
     10   247 ms    73 ms   127 ms
     11    70 ms    83 ms   108 ms
     12   187 ms   259 ms   203 ms [
     13   279 ms   188 ms   172 ms
     14   204 ms   259 ms   148 ms
     15   140 ms   158 ms   194 ms [
     16   246 ms   229 ms   242 ms [
     17   228 ms   239 ms   233 ms [
     18   248 ms   243 ms   246 ms
     19     *        *      271 ms
    Pinging [] with 32 bytes of data:
    Reply from bytes=32 time=299ms TTL=45
    Reply from bytes=32 time=256ms TTL=45
    Reply from bytes=32 time=279ms TTL=45
    Reply from bytes=32 time=226ms TTL=45
    Ping statistics for
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 226ms, Maximum = 299ms, Average = 265ms

    Even opening successfully redirects to SSL-enabled address! It means that we have access to your servers but the server might not be responding to iranian IPs.

    Opening in a browser shows a connection timeout message. I'm not so expert in SSL-related stuff, but it would be likely caused by a SSL problem, if we assume there is no policy in your servers to ban iranian users.

    As i tested, using any IP changing tools like VPNs and Proxies will totally solve this problem, but it's not the right solution. It's obvious that not all iranian users are able to change their IP, including amateur customers.

    And by the way, Ahmadinejad is gone :)

  10. Erik van Zijst

    Opening in a browser shows a connection timeout message. I'm not so expert in SSL-related stuff, but it would be likely caused by a SSL problem, if we assume there is no policy in your servers to ban iranian users.

    We do not perform any firewalling whatsoever, but I cannot vouch for any intermediate network provider, Iranian or otherwise.

    And by the way, Ahmadinejad is gone :)

    Yes, my mistake :)

  11. hamed gh

    It seems that there is no problem anymore! I can access bitbucket with freegate now :) I did nothing, the problem solved automatically.

  12. Mehran Ahadi

    Dear Hamed, It's not about being able to access the service using proxies or VPNs. It's about being able to use the service directly and freely without any kind of blocking, as it was before. You might want to take a look at my previous post.

    Unfortunately, the problem still persists and is not fixed: " took too long to respond"

  13. Brodie Rao

    This issue is being closed due to inactivity. If you're still experiencing issues, please contact Thanks!

  14. Thanh LE

    Today we cannot access bitbucket from Vietnam also.. we can access the site but very slowly.. and we cannot import projects to eclipse (or from console)...

    Anyone can help please ?

  15. Collin Anderson

    FYI: It's possible that this site (the HTTPS portion) is blocked because it hosts the source repository of Psiphon.

  16. Mehran Ahadi

    The problem was gone for some time, but it's back. Experiencing a similar situation again: "SSL Error".

  17. Jim Redmond staff

    Unfortunately, this appears to be the same problem as before: DNS is resolving the wrong address for

    If you update your hosts file (usually /etc/hosts) to include a line like this, then can you connect?

  18. Morteza Zigool

    I have the same problem. i can't connect to my repository with android studio! :( PUSH Faild -------------Failed to connect to port 443: Connection refused

  19. Erik van Zijst

    I'm afraid there's little we can do about governments that censor the Internet either by subverting DNS, or blocking routes.

    In countries where this is a constant issue, I'd consider looking into using a VPN service (assuming those are not all blocked as well). If worst comes to worst, you should be able to use TOR.

  20. dan rah

    I added the line to hosts file but when I try to fetch, I get this error: fatal: unable to access '': error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

    and when I change my origin from to myusername@ I get the following error:

    fatal: unable to access 'https://myusername@': SSL: certificate subject name '' does not match target host name ''

    How to add the certificate to exceptions? I'm using sourcetree on Windows

  21. dan rah

    The problem is not yet gone for me. Maybe for some ISPs the issue is resolved. I have the problem with both AsiaTek and Shatel ISPs. However, the above temporary fix will do the trick.

  22. Mehran Ahadi

    Guys, I just checked and found out it seems to be blocked by the government! So I posted a unblock request just few mins ago. I'll let you know whenever I got a response.

    @Hamed_K It seems that it's not solved yet! For instance, I can access by Internet Explorer on Windows on my Laptop (and currently posting this comment through it), but all other paltforms/clients fail to initialize HTTPS connection! It might be because of some kind of certificate caching or something like that. You're lucky! :)

  23. Mahdi Zareie

    I'm confirming the problem still blocking access to bitbucket . I believe a Man In The Middle doing some kinds of modifications on SSL records .
    it's definitely not a problem related to censorship because bitbucket servers are accessible but something more strange is happening, perhaps they are trying to run a decryption algorithm on the cipher-text but the algorithm does a modification on SSL records ......I guess :-/

  24. Jim Redmond staff

    @dan rah That may appear to work, but then you'd have no way to be sure that the system answering your requests really is Bitbucket. If you can verify that the certificate presented matches our fingerprint (46:de:34:e7:9b:18:cd:7f:ae:fd:8b:e3:bc:f4:1a:5e:38:d7:ac:24), though, then you may have a good temporary solution.

    You might also be able to reach our API host,, without any man-in-the-middle interference.

    @Mehran Ahadi I'd be curious to hear about any response you receive.

  25. Mohammad Shokri Khanghah

    @Jim Redmond It's some kind of DNS Spoofing attack on popular DNS resolvers in Iran. Google & Level3 DNS Servers are confirmed for these addresses:, and

    Sample output from dig command:

    $ dig +noall a +answer @      889 IN  A

    IP address is a common DNS Sinkhole in Iran.

    A quick fix for this is to add BitBucket IP Address to /etc/hosts file:

    # /etc/hosts file

    Some other less known public DNS Servers are not currently affected, which can also be used to workaround this issue:

    • Cisco OpenDNS:
    • Norton ConnectSafe:

    @Mahdi Zareie What's interesting is that there is also a MITM attack combined with Spoofing which forms a Malformed DNS Packet by adding 2 extra bytes at the beginning of the DNS response packet:

    Sample output from dig command:

    $ dig +noall any +answer @
    ;; Got bad packet: bad label type
    47 bytes
    e1 fb 81 80 00 01 00 01 00 00 00 00 09 62 69 74          .............bit
    62 75 63 6b 65 74 03 6f 72 67 00 00 0c 00 01 c0
    0c 00 0c 00 01 00 00 03 79 00 03 41 41 41 00             ........y..AAA.

    First 2 bytes e1 fb are injected! They are Random Packet corruptions of DNS payload!

    What's also interesting is that only UDP DNS Packets are affected, Forcing DNS to use TCP is ok:

    $ dig +noall any +answer +tcp @      21599   IN  A      21599   IN  A      21599   IN  NS      21599   IN  NS      21599   IN  NS      21599   IN  NS      899 IN  SOA 1 7200 900 1209600 86400      21599   IN  MX  1      21599   IN  MX  10      21599   IN  MX  10      21599   IN  MX  5      21599   IN  MX  5      21599   IN  TXT "v=spf1 ~all"
  26. Mohammad Shokri Khanghah

    @Jim Redmond SSL Fingerprint verified:

    $ openssl s_client -connect < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
    SHA1 Fingerprint=46:DE:34:E7:9B:18:CD:7F:AE:FD:8B:E3:BC:F4:1A:5E:38:D7:AC:24

    But still can't access through web:

    $ curl -I
    curl: (35) Unknown SSL protocol error in connection to
  27. Hamid Alaei Varnosfaderani

    This is error that I see in firefox:

    An error occurred during a connection to SSL received a record that 
    exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
  28. Mohammad Shokri Khanghah

    @Erik van Zijst Thank you Erik, I hope this could help shed some light on the permanent solution for this, cause we really are dependant on bitbucket cloud git services and their integration to other services. Currently both VPN and/or Tor would work but both of them are slow and requires special customization to servers, specially in order to maintain integration between services like phabricator and bitbucket.

  29. Ali Tivay

    I am still experiencing this problem. The situation is particularly hairy for me because I'm trying to connect from a VPS inside iran, and I can't activate a proxy like "openconnect" since it breaks my SSH connection to the VPS. is still inaccessible from the VPS.

  30. Hamid Alaei Varnosfaderani

    According to this link, it seems that bitbucket is not filtered by Iran, but bitbucket itself embargoed Iran. If it is true, then I can say it is a shame. I think bitbucket should officially confirm or reject it.

  31. Vladlena Shumilo

    This is NOT resolved and after testing a lot this seems like a bitbucket thing. As per the comment above I am trying to connect from Cuba and getting timeouts via ssh AND https. Happens that Cuba is in the embargoed list too. Coincidence?

  32. Yusef Mohamadi

    This problem exists yet, we have near 40 projects in bitbucket but because of this problem unfortunately we have to migrate to GitLab, I'd like BitBucket and JIRA, but now I have to like JIRA only. :(

    @Mehran Ahadi I ask to remove bitbucket from black-list, what was your experience about ask to "rafefilter" ?

  33. Mehran Ahadi

    @Zhilevan I just sent a request over there and it asked for a description, and i explained why it should not be blacklisted. Finally it gave me a tracking code, and after a week it got whitelisted. Please note that it's not blocked by iran government right now, and if you try to submit a request to rafefilter, it says that it's not on the blacklist. It seems to be another problem right now; maybe SSL Spoofing, or some kind of sanction effects. Take a look at the link provided by @Hamid Alaei Varnosfaderani.

  34. Log in to comment