Contribution from test-lists.ooni.org

[ooni-bot]

No description provided.

[zenitraM]

We've confirmed using proxies in Myanmar that api.revenuecat.com and apparently *.revenuecat.com are blocked in Myanmar via DPI, with connections being blocked on both http and https when the SNI/Host header matches on any IP address:

❯ curl -x $PROXY "https://api.revenuecat.com" --resolve "api.revenuecat.com:443:3.218.149.185" -v
* Added api.revenuecat.com:443:3.218.149.185 to DNS cache
* Host xxxx:9999 was resolved.
* IPv6: (none)
* IPv4: ...
*   Trying ...:9999...
* Connected to ... port 9999
* Hostname api.revenuecat.com was found in DNS cache
* SOCKS5 connect to 3.218.149.185:443 (locally resolved)
* SOCKS5 request granted.
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.revenuecat.com:443
* Closing connection
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.revenuecat.com:443

When changing the SNI header to a different one, the connection does work:

❯ curl -x $PROXY "https://api.revenuecats.com" --resolve "api.revenuecats.com:443:3.218.149.185" -v
* Added api.revenuecats.com:443:3.218.149.185 to DNS cache
* Host ...:9999 was resolved.
* IPv6: (none)
* IPv4: ...
*   Trying ...:9999...
* Connected to ... port 9999
* Hostname api.revenuecats.com was found in DNS cache
* SOCKS5 connect to 3.218.149.185:443 (locally resolved)
* SOCKS5 request granted.
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=*.revenuecat.com
*  start date: Nov 19 00:00:00 2025 GMT
*  expire date: Dec 18 23:59:59 2026 GMT
*  subjectAltName does not match host name api.revenuecats.com
* SSL: no alternative certificate subject name matches target host name 'api.revenuecats.com'
* Closing connection
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'api.revenuecats.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Requesting via HTTP with the Host header set to api.revenuecat.com but to a different domain (1.1.1.1) - the connection gets cut out after the Host header, so the blocking seems to occur at a SNI level rather than an IP level:

❯ curl -x $PROXY "http://api.revenuecat.com" --resolve "api.revenuecat.com:80:1.1.1.1" -v
* Added api.revenuecat.com:80:1.1.1.1 to DNS cache
* Host ...:9999 was resolved.
* IPv6: (none)
* IPv4: ...
*   Trying ...:9999...
* Connected to ... port 9999
* Hostname api.revenuecat.com was found in DNS cache
* SOCKS5 connect to 1.1.1.1:80 (locally resolved)
* SOCKS5 request granted.
> GET / HTTP/1.1
> Host: api.revenuecat.com
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
* Empty reply from server
* Closing connection
curl: (52) Empty reply from server