1. Bitbucket
  2. Public Issue Tracker
  3. master
  4. Issues


Issue #9261 resolved

Cant Access site Form IRAN

Mohammad Sarrami
created an issue

Dear BitBucket team,

Recently I cant access my repository with Iranian IP Address.

Is there any new Policy to ban the service from Any Region?

Can you please let me know if I have to replace your service with some other free online services. my Email would be : Farvashani@gmail.com

Many thanks

Comments (51)

  1. Erik van Zijst staff

    Is there any new Policy to ban the service from Any Region?

    I'm afraid we should ask Ahmadinejad. Can you copy paste the output of:

    $ nslookup bitbucket.org
    $ traceroute bitbucket.org
    $ ping bitbucket.org

    Also, what do you see when load bitbucket up in a browser? Does it time out, or do you see a government message?

    If Iran's draconian censorship machine has indeed decided its citizens don't deserve online code hosting services, you might want to consider proxy servers or TOR.

  2. hamed gh

    I have the same problem,(I'm connecting from university and university's administrators said we didn't close any port!)

    I open BitBucket.org with proxy(because of filtering) but It seemed proxy doesn't work for cmd!

    when I use : git push origin master It show me: error: Connection time-out while accessing https://hamed256giga@bitbucket.org/ha med256giga/blog.git/info/refs?service=git-receive-pack fatal: HTTP request failed

    when I try $ nslookup bitbucket.org it show me: Server: dc01.kashanu.local Address:

    Non-authoritative answer: DNS request timed out. timeout was 2 seconds. Name: bitbucket.org Addresses:

    try : ping bitbucket.org

    Pinging bitbucket.org [] with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

    Ping statistics for Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    So What should I do??

  3. hamed gh

    Yes I think so (is there any other command to test?) , I can load bitbucket.org only with proxy or vpn. If I try "ping google.com" with VPN, everything is OK:

    Pinging google.com [] with 32 bytes of data: Reply from bytes=32 time=129ms TTL=51 Reply from bytes=32 time=130ms TTL=51 Reply from bytes=32 time=130ms TTL=51 Reply from bytes=32 time=130ms TTL=51

    Ping statistics for Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 129ms, Maximum = 130ms, Average = 129ms

    I try "tracert google.com":

    Tracing route to google.com [] over a maximum of 30 hops:

    1 132 ms 131 ms 131 ms 2 139 ms 134 ms 132 ms 3 132 ms 131 ms 133 ms ffm-b2-link.telia.net [] 4 132 ms 132 ms 133 ms ffm-bb1-link.telia.net [] 5 135 ms 133 ms 133 ms ffm-b7-link.telia.net [] 6 134 ms 132 ms 132 ms google-ic-127674-ffm-b7.c.telia.net [213.248.89. 38] 7 * 148 ms 146 ms 8 189 ms 133 ms 132 ms 9 134 ms 135 ms 134 ms fra02s22-in-f7.1e100.net []

    Trace complete.

    tell me what should I dO?? :(

  4. Erik van Zijst staff

    hamed gh So you can load and use the site ok (I guess you can, considering you were able to comment on this issue). If you are using a VPN then a clone should really also work. Can you paste the full shell output of the commands I mentioned above?

  5. hamed gh

    nslookup bitbucket.org

    Server: google-public-dns-a.google.com


    Non-authoritative answer: Name: bitbucket.org Addresses:

  6. hamed gh

    traceroute bitbucket.org

    traceroute : The term 'traceroute' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + traceroute bitbucket.org + ~~ + CategoryInfo : ObjectNotFound: (traceroute:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException

    tracert bitbucket.org

    Tracing route to bitbucket.org [] over a maximum of 30 hops:

    1 155 ms 156 ms 158 ms 2 155 ms 155 ms 156 ms 3 155 ms * 175 ms xe-1-2-2.cr2.fra1.de.nlayer.net [] 4 155 ms 155 ms 156 ms as2914.xe-0-3-2.cr2.fra1.de.nlayer.net [] 5 158 ms * 166 ms xe-1-1-3.r20.frnkge04.de.bb.gin.ntt.net [] 6 249 ms 251 ms 256 ms ae-1.r21.asbnva02.us.bb.gin.ntt.net [] 7 241 ms 253 ms 243 ms ae-2.r00.asbnva02.us.bb.gin.ntt.net [] 8 277 ms 248 ms 264 ms 9 266 ms 245 ms 251 ms

    Trace complete.

    ping bitbucket.org

    Pinging bitbucket.org [] with 32 bytes of data: Reply from bytes=32 time=256ms TTL=56 Reply from bytes=32 time=253ms TTL=56 Reply from bytes=32 time=245ms TTL=56 Reply from bytes=32 time=243ms TTL=56

    Ping statistics for Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 243ms, Maximum = 256ms, Average = 249ms

  7. Erik van Zijst staff

    That all looks normal. You say you are using a proxy server because of the network censorship. It's possible these proxy servers don't play well with Git's clone requests, which are streaming. This is something you'd have to investigate / ask the proxy administrator.

    If you are on a VPN you shouldn't need any app-level proxies, in which case you could give SSH a try.

  8. Mehran Ahadi

    I have the same issue. This problem seems not to be caused by Iran Goverment Censorship. I've queried the censorship database (http://rafefilter.internet.ir/) and it says bitbucket.org is not censored!

    The problem is neither with DNS lookup:

    Non-authoritative answer:
    Name:    bitbucket.org

    Nor with routing:

    Tracing route to bitbucket.org []
    over a maximum of 30 hops:
      1     1 ms     2 ms     1 ms  WiMaxCPE []
      2     *        *        *     Request timed out.
      3    71 ms   157 ms    72 ms
      4    69 ms    93 ms   358 ms
      5    89 ms   284 ms   127 ms
      6    70 ms    64 ms   103 ms
      7  1908 ms   228 ms   162 ms
      8     *        *        *     Request timed out.
      9    80 ms    72 ms    74 ms
     10   247 ms    73 ms   127 ms
     11    70 ms    83 ms   108 ms
     12   187 ms   259 ms   203 ms  so-10-0-0.franco71.fra.seabone.net [
     13   279 ms   188 ms   172 ms
     14   204 ms   259 ms   148 ms
     15   140 ms   158 ms   194 ms  ae-2.r20.frnkge04.de.bb.gin.ntt.net [
     16   246 ms   229 ms   242 ms  ae-1.r21.asbnva02.us.bb.gin.ntt.net [
     17   228 ms   239 ms   233 ms  ae-2.r00.asbnva02.us.bb.gin.ntt.net [
     18   248 ms   243 ms   246 ms
     19     *        *      271 ms
    Pinging bitbucket.org [] with 32 bytes of data:
    Reply from bytes=32 time=299ms TTL=45
    Reply from bytes=32 time=256ms TTL=45
    Reply from bytes=32 time=279ms TTL=45
    Reply from bytes=32 time=226ms TTL=45
    Ping statistics for
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 226ms, Maximum = 299ms, Average = 265ms

    Even opening http://bitbucket.org/ successfully redirects to SSL-enabled https://bitbucket.org/ address! It means that we have access to your servers but the server might not be responding to iranian IPs.

    Opening https://bitbucket.org/ in a browser shows a connection timeout message. I'm not so expert in SSL-related stuff, but it would be likely caused by a SSL problem, if we assume there is no policy in your servers to ban iranian users.

    As i tested, using any IP changing tools like VPNs and Proxies will totally solve this problem, but it's not the right solution. It's obvious that not all iranian users are able to change their IP, including amateur customers.

    And by the way, Ahmadinejad is gone :)

  9. Erik van Zijst staff

    Opening https://bitbucket.org/ in a browser shows a connection timeout message. I'm not so expert in SSL-related stuff, but it would be likely caused by a SSL problem, if we assume there is no policy in your servers to ban iranian users.

    We do not perform any firewalling whatsoever, but I cannot vouch for any intermediate network provider, Iranian or otherwise.

    And by the way, Ahmadinejad is gone :)

    Yes, my mistake :)

  10. Mehran Ahadi

    Dear Hamed, It's not about being able to access the service using proxies or VPNs. It's about being able to use the service directly and freely without any kind of blocking, as it was before. You might want to take a look at my previous post.

    Unfortunately, the problem still persists and is not fixed: "bitbucket.org took too long to respond"

  11. Thanh LE

    Today we cannot access bitbucket from Vietnam also.. we can access the site but very slowly.. and we cannot import projects to eclipse (or from console)...

    Anyone can help please ?

  12. James Redmond staff

    Unfortunately, this appears to be the same problem as before: DNS is resolving the wrong address for bitbucket.org.

    If you update your hosts file (usually /etc/hosts) to include a line like this, then can you connect? bitbucket.org

  13. Erik van Zijst staff

    I'm afraid there's little we can do about governments that censor the Internet either by subverting DNS, or blocking routes.

    In countries where this is a constant issue, I'd consider looking into using a VPN service (assuming those are not all blocked as well). If worst comes to worst, you should be able to use TOR.

  14. danrah

    I added the line to hosts file but when I try to fetch, I get this error: fatal: unable to access 'https://username@bitbucket.org/reposityr.git/': error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

    and when I change my origin from myusername@bitbucket.org to myusername@ I get the following error:

    fatal: unable to access 'https://myusername@': SSL: certificate subject name 'bitbucket.org' does not match target host name ''

    How to add the certificate to exceptions? I'm using sourcetree on Windows

  15. danrah

    The problem is not yet gone for me. Maybe for some ISPs the issue is resolved. I have the problem with both AsiaTek and Shatel ISPs. However, the above temporary fix will do the trick.

  16. Mehran Ahadi

    Guys, I just checked http://rafefilter.internet.ir/ and found out it seems to be blocked by the government! So I posted a unblock request just few mins ago. I'll let you know whenever I got a response.

    Hamed Jafari It seems that it's not solved yet! For instance, I can access https://bitbucket.org by Internet Explorer on Windows on my Laptop (and currently posting this comment through it), but all other paltforms/clients fail to initialize HTTPS connection! It might be because of some kind of certificate caching or something like that. You're lucky! :)

  17. Mahdi Zareie

    I'm confirming the problem still blocking access to bitbucket . I believe a Man In The Middle doing some kinds of modifications on SSL records .
    it's definitely not a problem related to censorship because bitbucket servers are accessible but something more strange is happening, perhaps they are trying to run a decryption algorithm on the cipher-text but the algorithm does a modification on SSL records ......I guess :-/

  18. James Redmond staff

    danrah That may appear to work, but then you'd have no way to be sure that the system answering your requests really is Bitbucket. If you can verify that the certificate presented matches our fingerprint (46:de:34:e7:9b:18:cd:7f:ae:fd:8b:e3:bc:f4:1a:5e:38:d7:ac:24), though, then you may have a good temporary solution.

    You might also be able to reach our API host, api.bitbucket.org, without any man-in-the-middle interference.

    Mehran Ahadi I'd be curious to hear about any response you receive.

  19. Mohammad Shokri

    James Redmond It's some kind of DNS Spoofing attack on popular DNS resolvers in Iran. Google & Level3 DNS Servers are confirmed for these addresses:, and

    Sample output from dig command:

    $ dig +noall bitbucket.org a +answer @
    bitbucket.org.      889 IN  A

    IP address is a common DNS Sinkhole in Iran.

    A quick fix for this is to add BitBucket IP Address to /etc/hosts file:

    # /etc/hosts file    bitbucket.org

    Some other less known public DNS Servers are not currently affected, which can also be used to workaround this issue:

    • Cisco OpenDNS:
    • Norton ConnectSafe:

    Mahdi Zareie What's interesting is that there is also a MITM attack combined with Spoofing which forms a Malformed DNS Packet by adding 2 extra bytes at the beginning of the DNS response packet:

    Sample output from dig command:

    $ dig +noall bitbucket.org any +answer @
    ;; Got bad packet: bad label type
    47 bytes
    e1 fb 81 80 00 01 00 01 00 00 00 00 09 62 69 74          .............bit
    62 75 63 6b 65 74 03 6f 72 67 00 00 0c 00 01 c0          bucket.org......
    0c 00 0c 00 01 00 00 03 79 00 03 41 41 41 00             ........y..AAA.

    First 2 bytes e1 fb are injected! They are Random Packet corruptions of DNS payload!

    What's also interesting is that only UDP DNS Packets are affected, Forcing DNS to use TCP is ok:

    $ dig +noall bitbucket.org any +answer +tcp @
    bitbucket.org.      21599   IN  A
    bitbucket.org.      21599   IN  A
    bitbucket.org.      21599   IN  NS  ns-1305.awsdns-35.org.
    bitbucket.org.      21599   IN  NS  ns-1746.awsdns-26.co.uk.
    bitbucket.org.      21599   IN  NS  ns-445.awsdns-55.com.
    bitbucket.org.      21599   IN  NS  ns-584.awsdns-09.net.
    bitbucket.org.      899 IN  SOA ns-584.awsdns-09.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
    bitbucket.org.      21599   IN  MX  1 aspmx.l.google.com.
    bitbucket.org.      21599   IN  MX  10 aspmx2.googlemail.com.
    bitbucket.org.      21599   IN  MX  10 aspmx3.googlemail.com.
    bitbucket.org.      21599   IN  MX  5 alt1.aspmx.l.google.com.
    bitbucket.org.      21599   IN  MX  5 alt2.aspmx.l.google.com.
    bitbucket.org.      21599   IN  TXT "v=spf1 a:bitbucket09.managed.contegix.com a:bitbucket10.managed.contegix.com a:lb01-ash.bitbucket.org a:lb02-ash.bitbucket.org a:status-fe01.bitbucket.org a:status-fe02.bitbucket.org include:_spf.google.com include:support.zendesk.com ~all"
  20. Mohammad Shokri

    James Redmond SSL Fingerprint verified:

    $ openssl s_client -connect bitbucket.org:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
    SHA1 Fingerprint=46:DE:34:E7:9B:18:CD:7F:AE:FD:8B:E3:BC:F4:1A:5E:38:D7:AC:24

    But still can't access through web:

    $ curl -I https://bitbucket.org/
    curl: (35) Unknown SSL protocol error in connection to bitbucket.org:-9847
  21. Mohammad Shokri

    Erik van Zijst Thank you Erik, I hope this could help shed some light on the permanent solution for this, cause we really are dependant on bitbucket cloud git services and their integration to other services. Currently both VPN and/or Tor would work but both of them are slow and requires special customization to servers, specially in order to maintain integration between services like phabricator and bitbucket.

  22. Ali Tivay

    I am still experiencing this problem. The situation is particularly hairy for me because I'm trying to connect from a VPS inside iran, and I can't activate a proxy like "openconnect" since it breaks my SSH connection to the VPS.

    bitbucket.org is still inaccessible from the VPS.

  23. Vladlena Shumilo

    This is NOT resolved and after testing a lot this seems like a bitbucket thing. As per the comment above I am trying to connect from Cuba and getting timeouts via ssh AND https. Happens that Cuba is in the embargoed list too. Coincidence?

  24. Zhilevan Ibra

    This problem exists yet, we have near 40 projects in bitbucket but because of this problem unfortunately we have to migrate to GitLab, I'd like BitBucket and JIRA, but now I have to like JIRA only. :(

    Mehran Ahadi I ask http://rafefilter.internet.ir/ to remove bitbucket from black-list, what was your experience about ask to "rafefilter" ?

  25. Mehran Ahadi

    Zhilevan Ibra I just sent a request over there and it asked for a description, and i explained why it should not be blacklisted. Finally it gave me a tracking code, and after a week it got whitelisted. Please note that it's not blocked by iran government right now, and if you try to submit a request to rafefilter, it says that it's not on the blacklist. It seems to be another problem right now; maybe SSL Spoofing, or some kind of sanction effects. Take a look at the link provided by Hamid Alaei Varnosfaderani.

  26. Log in to comment