В проблемах к альтернативному youtube-плееру NewPipe для Android пишут, что плеер перестал работать в России.
opened 08:54PM - 15 Sep 21 UTC
<!--
Oh no, a bug! It happens. Thanks for reporting an issue with NewPipe. To ma… ke it easier for us to help you please enter detailed information in the template we have provided below. If a section isn't relevant, just delete it, though it would be helpful to still provide as much detail as possible.
-->
### Checklist
- [x] I am using the latest version - 0.21.9
- [x] I checked, but didn't find any duplicates (open OR closed) of this issue in the repo.
- [x] I have read the contribution guidelines given at https://github.com/TeamNewPipe/NewPipe/blob/HEAD/.github/CONTRIBUTING.md.
- [x] This issue contains only one bug. I will open one issue for every bug report I want to file.
### Steps to reproduce the bug
<!--
1. Go to '...'
2. Press on '....'
3. Swipe down to '....'
-->
1. Open app
2. Try to search or open anything from history, and it's loading endlessly
### Actual behavior
Nothing loads. Tried reinstalling, nothing changes.
### Expected behavior
Everytrhing should load.
### Screenshots/Screen recordings
https://ibb.co/d29FXVt
### Logs
## Exception
* __User Action:__ searched
* __Request:__ lemmino
* __Content Country:__ US
* __Content Language:__ en-US
* __App Language:__ en_US
* __Service:__ YouTube
* __Version:__ 0.21.9
* __OS:__ Linux Android 6.0.1 - 23
<details><summary><b>Crash log </b></summary><p>
```
java.net.ConnectException: Failed to connect to www.youtube.com/2a00:1450:4010:c05::c6:443
at okhttp3.internal.connection.RealConnection.connectSocket(RealConnection.java:249)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:167)
at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:258)
at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:127)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:257)
at okhttp3.RealCall.execute(RealCall.java:93)
at org.schabi.newpipe.DownloaderImpl.execute(DownloaderImpl.java:264)
at org.schabi.newpipe.extractor.downloader.Downloader.post(Downloader.java:131)
at org.schabi.newpipe.extractor.downloader.Downloader.post(Downloader.java:114)
at org.schabi.newpipe.extractor.services.youtube.YoutubeParsingHelper.areHardcodedClientVersionAndKeyValid(YoutubeParsingHelper.java:342)
at org.schabi.newpipe.extractor.services.youtube.YoutubeParsingHelper.getClientVersion(YoutubeParsingHelper.java:429)
at org.schabi.newpipe.extractor.services.youtube.YoutubeParsingHelper.prepareDesktopJsonBuilder(YoutubeParsingHelper.java:814)
at org.schabi.newpipe.extractor.services.youtube.extractors.YoutubeSearchExtractor.onFetchPage(YoutubeSearchExtractor.java:73)
at org.schabi.newpipe.extractor.Extractor.fetchPage(Extractor.java:54)
at org.schabi.newpipe.extractor.search.SearchInfo.getInfo(SearchInfo.java:29)
at org.schabi.newpipe.util.ExtractorHelper.lambda$searchFor$0(ExtractorHelper.java:81)
at org.schabi.newpipe.util.-$$Lambda$ExtractorHelper$qyxpuXgomWa-cbONQns-pd7zxm0.call(lambda)
at io.reactivex.rxjava3.internal.operators.single.SingleFromCallable.subscribeActual(SingleFromCallable.java:43)
at io.reactivex.rxjava3.core.Single.subscribe(Single.java:4813)
at io.reactivex.rxjava3.internal.operators.single.SingleSubscribeOn$SubscribeOnObserver.run(SingleSubscribeOn.java:89)
at io.reactivex.rxjava3.core.Scheduler$DisposeTask.run(Scheduler.java:614)
at io.reactivex.rxjava3.internal.schedulers.ScheduledRunnable.run(ScheduledRunnable.java:65)
at io.reactivex.rxjava3.internal.schedulers.ScheduledRunnable.call(ScheduledRunnable.java:56)
at java.util.concurrent.FutureTask.run(FutureTask.java:237)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:269)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588)
at java.lang.Thread.run(Thread.java:818)
Caused by: java.net.ConnectException: failed to connect to www.youtube.com/2a00:1450:4010:c05::c6 (port 443) after 10000ms: isConnected failed: ENETUNREACH (Network is unreachable)
at libcore.io.IoBridge.isConnected(IoBridge.java:234)
at libcore.io.IoBridge.connectErrno(IoBridge.java:171)
at libcore.io.IoBridge.connect(IoBridge.java:122)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:183)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:452)
at java.net.Socket.connect(Socket.java:884)
at okhttp3.internal.platform.AndroidPlatform.connectSocket(AndroidPlatform.java:73)
at okhttp3.internal.connection.RealConnection.connectSocket(RealConnection.java:247)
... 39 more
Caused by: android.system.ErrnoException: isConnected failed: ENETUNREACH (Network is unreachable)
at libcore.io.IoBridge.isConnected(IoBridge.java:223)
... 46 more
```
</details>
<hr>
### Device info
- Android version/Custom ROM version: CyanogenMod 13.1
- Device model: OnePlus One
Последний комментарий с исправлением кода намекает, что на ТСПУ внедрен какой-то фильтр TLS, не полностью совместимый со всем ПО.
Это действительно какой-то фильтр TLS.
newpipe_youtube_notworking.zip (21.6 KB)termux_curl_youtube_working.zip (1.7 MB)
Домен www.youtube.com резолвится в 173.194.220.198, но в случае NewPipe с сервера не приходит ответ на ClientHello.https://www.youtube.com на тот же IP-адрес через cURL работает без проблем.
Еще один PCAP-файл, присланный пользователем программы.
По сообщениям пользователей, смена DNS возвращает работоспособность программе, предположительно, из-за другого IP-адреса домена www.youtube.com — фильтр включён с ограничением по адресу.
NewPipe_dns_issue.zip (1.2 KB)
Команда для проверки:
echo "1603010200010001fc0303b8fcb545209f995728937006732b2317cac1e7d265623198acdde74d267d9c68205bab4ebc80ebd23b030380212470f549430f8892e37be79ac1f682b52ac25626001e130113021303c02bc02ccca9c02fc030cca8c013c014009c009d002f00350100019500000014001200000f7777772e796f75747562652e636f6d00170000ff01000100000a00080006001d00170018000b00020100002300000010000e000c02683208687474702f312e31000500050100000000000d00140012040308040401050308050501080606010201003300260024001d0020a2ddf4a423d52380e4dbdbd817c8e4ebb714d39961dd144dfcaa9553c2ae0367002d00020101002b0009080304030303020301001500ea000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" | xxd -ps -r | nc -v 173.194.220.198 443 > /dev/null
This is filter works specifically for www.youtube.com domain. Changing SNI to anything other (even wxw.youtube.com) opens the website again.
TLS filtering is done regardless of IP address.youtube-tspu-server.zip (4.2 KB)
As you can see, the clients’ TLS ClientHello packet is received, but the ServerHello reply can’t be delivered. The client does not receive ServerHello. www.youtube.com does not work, www.nottube.com works.
NAT session teardown?
Фильтр настроен на блокировку комбинации TLS Cipher Suites + Supported Groups + Signature Algorithms + SNI. Удаление какого-либо из шифра в любой части, изменение порядка cipher suites или любая другая модификация приводит к доставке пакета и работоспособности сетевой связности.
А для чего именно может применяться такая настройка фильтра?
@ValdikSS и снова я)www.youtube.com ) открывается, твой тест парой постов выше тоже нормально проходит, хотя newpipe не пашет. Странно… Попробую запустить tcpdump
Раз уже понятна схема блокировки, остался один вопрос: зачем так геморно и с таким паттерно? Почему нельзя просто заблочить по SNI? Или это специально для андроид клиента?
darkk
September 16, 2021, 2:06pm
13
Seems, NewPipe’s fingerprint is quite unique. https://tlsfingerprint.io/ does not parse Client Hello from aforementioned pcaps as known fingerprint that was already observed in the campus traffic.
Its really useless to block NewPipe. Best candidate to block is Google’s Youtube app. Can it be something like tests or preparations for whole youtube block?
darkk
September 16, 2021, 2:36pm
15
I have no iOS devices, but Navalny’s app (ver. 2.0, one from Google Play Market) gives a different fingerprint on my Android:
Fingerprints https://tlsfingerprint.io/id/f0b2b996867b6380 and https://tlsfingerprint.io/id/f278257cdf4a43aa seem to be related, cetpmhjmdf-vizskfsved.global.ssl.fastly.net is Navalny-related domain (see https://archive.md/xgT57 for archived content).
They use okhttp3 library with ConnectionSpec.MODERN_TLS.cipherSuites() and 2 additional ones click
// This will try to enable all modern CipherSuites(+2 more)
// that are supported on the device.
// Necessary because some servers (e.g. Framatube.org)
// don't support the old cipher suites.
// https://github.com/square/okhttp/issues/4053#issuecomment-402579554
final List<CipherSuite> cipherSuites =
new ArrayList<>(ConnectionSpec.MODERN_TLS.cipherSuites());
cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
final ConnectionSpec legacyTLS = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.cipherSuites(cipherSuites.toArray(new CipherSuite[0]))
.build();
builder.connectionSpecs(Arrays.asList(legacyTLS, ConnectionSpec.CLEARTEXT));
UPD: no, they use this cipher set only in this exact case, but in general they have a common okhttp3 cipher list (without 3DES, it is probably filtered by the tls library): https://github.com/square/okhttp/blob/06644bb0507873e9a3b89d9107da537f1b140e91/okhttp/src/main/java/okhttp3/ConnectionSpec.java#L68
I’ve made a small modification in NewPipe by replacing TLS_RSA_WITH_AES_256_CBC_SHA with TLS_RSA_WITH_AES_128_CBC_SHA in the library cipher list, and the application is now working again.
opened 08:54PM - 15 Sep 21 UTC
<!--
Oh no, a bug! It happens. Thanks for reporting an issue with NewPipe. To ma… ke it easier for us to help you please enter detailed information in the template we have provided below. If a section isn't relevant, just delete it, though it would be helpful to still provide as much detail as possible.
-->
### Checklist
- [x] I am using the latest version - 0.21.9
- [x] I checked, but didn't find any duplicates (open OR closed) of this issue in the repo.
- [x] I have read the contribution guidelines given at https://github.com/TeamNewPipe/NewPipe/blob/HEAD/.github/CONTRIBUTING.md.
- [x] This issue contains only one bug. I will open one issue for every bug report I want to file.
### Steps to reproduce the bug
<!--
1. Go to '...'
2. Press on '....'
3. Swipe down to '....'
-->
1. Open app
2. Try to search or open anything from history, and it's loading endlessly
### Actual behavior
Nothing loads. Tried reinstalling, nothing changes.
### Expected behavior
Everytrhing should load.
### Screenshots/Screen recordings
https://ibb.co/d29FXVt
### Logs
## Exception
* __User Action:__ searched
* __Request:__ lemmino
* __Content Country:__ US
* __Content Language:__ en-US
* __App Language:__ en_US
* __Service:__ YouTube
* __Version:__ 0.21.9
* __OS:__ Linux Android 6.0.1 - 23
<details><summary><b>Crash log </b></summary><p>
```
java.net.ConnectException: Failed to connect to www.youtube.com/2a00:1450:4010:c05::c6:443
at okhttp3.internal.connection.RealConnection.connectSocket(RealConnection.java:249)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:167)
at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:258)
at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:127)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:257)
at okhttp3.RealCall.execute(RealCall.java:93)
at org.schabi.newpipe.DownloaderImpl.execute(DownloaderImpl.java:264)
at org.schabi.newpipe.extractor.downloader.Downloader.post(Downloader.java:131)
at org.schabi.newpipe.extractor.downloader.Downloader.post(Downloader.java:114)
at org.schabi.newpipe.extractor.services.youtube.YoutubeParsingHelper.areHardcodedClientVersionAndKeyValid(YoutubeParsingHelper.java:342)
at org.schabi.newpipe.extractor.services.youtube.YoutubeParsingHelper.getClientVersion(YoutubeParsingHelper.java:429)
at org.schabi.newpipe.extractor.services.youtube.YoutubeParsingHelper.prepareDesktopJsonBuilder(YoutubeParsingHelper.java:814)
at org.schabi.newpipe.extractor.services.youtube.extractors.YoutubeSearchExtractor.onFetchPage(YoutubeSearchExtractor.java:73)
at org.schabi.newpipe.extractor.Extractor.fetchPage(Extractor.java:54)
at org.schabi.newpipe.extractor.search.SearchInfo.getInfo(SearchInfo.java:29)
at org.schabi.newpipe.util.ExtractorHelper.lambda$searchFor$0(ExtractorHelper.java:81)
at org.schabi.newpipe.util.-$$Lambda$ExtractorHelper$qyxpuXgomWa-cbONQns-pd7zxm0.call(lambda)
at io.reactivex.rxjava3.internal.operators.single.SingleFromCallable.subscribeActual(SingleFromCallable.java:43)
at io.reactivex.rxjava3.core.Single.subscribe(Single.java:4813)
at io.reactivex.rxjava3.internal.operators.single.SingleSubscribeOn$SubscribeOnObserver.run(SingleSubscribeOn.java:89)
at io.reactivex.rxjava3.core.Scheduler$DisposeTask.run(Scheduler.java:614)
at io.reactivex.rxjava3.internal.schedulers.ScheduledRunnable.run(ScheduledRunnable.java:65)
at io.reactivex.rxjava3.internal.schedulers.ScheduledRunnable.call(ScheduledRunnable.java:56)
at java.util.concurrent.FutureTask.run(FutureTask.java:237)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:269)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588)
at java.lang.Thread.run(Thread.java:818)
Caused by: java.net.ConnectException: failed to connect to www.youtube.com/2a00:1450:4010:c05::c6 (port 443) after 10000ms: isConnected failed: ENETUNREACH (Network is unreachable)
at libcore.io.IoBridge.isConnected(IoBridge.java:234)
at libcore.io.IoBridge.connectErrno(IoBridge.java:171)
at libcore.io.IoBridge.connect(IoBridge.java:122)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:183)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:452)
at java.net.Socket.connect(Socket.java:884)
at okhttp3.internal.platform.AndroidPlatform.connectSocket(AndroidPlatform.java:73)
at okhttp3.internal.connection.RealConnection.connectSocket(RealConnection.java:247)
... 39 more
Caused by: android.system.ErrnoException: isConnected failed: ENETUNREACH (Network is unreachable)
at libcore.io.IoBridge.isConnected(IoBridge.java:223)
... 46 more
```
</details>
<hr>
### Device info
- Android version/Custom ROM version: CyanogenMod 13.1
- Device model: OnePlus One
Alex01d
September 16, 2021, 3:32pm
18
SmartTubeNext тоже перестал работать, по крайней мере, с теле2.
UPD: no, they use this cipher set only in this exact case, but in general they have a common okhttp3 cipher list (without 3DES, it is probably filtered by the tls library): https://github.com/square/okhttp/blob/06644bb0507873e9a3b89d9107da537f1b140e91/okhttp/src/main/java/okhttp3/ConnectionSpec.java#L68
So they block HTTPS requests to www.youtube.com via okhttp library.
Hint: this block could be circumvented by changing SNI case. wWw.youtube.com works.docs.google.com, are not blocked with this TLS fingerprint.
