AdguardTeam
Legitimate HTTPS Requests Blocked
Please answer the following questions for yourself before submitting an issue
- [x] Filters were updated before reproducing an issue
- [x] I checked the knowledge base and found no answer
- [x] I checked to make sure that this issue has not already been filed
AdGuard version
4.14.3
Environment
- OS version: android 16
- Device: pixel 10 pro xl
HTTPS filtering
- [x] yes, I do
Root access
- [ ] yes, I have it
Integration with AdGuard VPN
- [ ] yes, I do
Routing mode
Local VPN
Ad Blocking
No response
Privacy
No response
Social
No response
Annoyances
No response
Security
No response
Language-specific
No response
Other
No response
Which DNS server do you use?
DNS protection disabled
DNS protocol
None
Custom DNS
No response
What Stealth Mode options do you have enabled?
No response
Issue Details
na
Expected Behavior
No response
Actual Behavior
not this
Screenshots
Additional Information
No response
@Versty how is this issue not fixed. it is easily reproduced by turning on https filtering for any app. it shouldn't be behaving like this.
its blocked multiple legitimate https requests through brave already for me.
I think it's related to the apps and domains using ssl pinning. I've root with certificate installed in system store and yet I face this for various apps with no reason listed in the log. I remember seeing one debug in which something related to ssl was written but I agree this isn't probably true for all the unlisted blocking. Some are because of unsupported protocol too I guess.
Similar problem https://github.com/AdguardTeam/AdguardFilters/issues/217996
If HTTPS filtering is enabled for app but app does not accept AdGuard CA, its request will be displayed like this.
Ok that part is understandable but it is doing it for brave browser sometimes
Sent from Proton Mail for Android.
-------- Original Message -------- On Tuesday, 12/02/25 at 10:32 Sergey Fionov @.***> wrote:
sfionov left a comment (AdguardTeam/AdguardForAndroid#5905)
If HTTPS filtering is enabled for app but app does not accept AdGuard CA, its request will be displayed like this.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>
I can. It's just IDK when it's gonna be it happens rarely.
Sent from Proton Mail for Android.
-------- Original Message -------- On Tuesday, 12/02/25 at 10:46 zzebrum @.***> wrote:
zzebrum left a comment (AdguardTeam/AdguardForAndroid#5905)
@.***(https://github.com/jo2dan94) could you collect debug logs and send it to qa2adguard.com?
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
That's where logs are sent yes
Sent from Proton Mail for Android.
-------- Original Message -------- On Tuesday, 12/02/25 at 14:32 TPS @.***> wrote:
TPS left a comment (AdguardTeam/AdguardForAndroid#5905)
send it to qa2adguard.com?
@.***?
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
@jo2dan94 Unfortunately, we don’t see any new emails from you. Could you please add 5905 to the subject line and resend it to [email protected]?
@TPS @Rtizer-9 @jo2dan94 To summarize the above, blocked 'HTTPS tunnel' events appear when AdGuard tries to filter the HTTPS traffic of an application that does not allow the use of the CA certificate provided by AdGuard. It is also worth mentioning that the HTTPS filtering toggle is disabled for such apps in the 'App Management' tab of the AdGuard application by default.
This behavior is intended, but it would be helpful if you could see a clear explanation of the blocking reason in this case. Therefore, we have created the following enhancement: https://github.com/AdguardTeam/AdguardForAndroid/issues/5942. If you would like to see this implemented, please add a 👍 reaction to the linked issue.
It's very hard to reproduce. I don't really have time lately to sit and wait for a blocked https request unfortunately I'm sorry. If someone else could reproduce that would be great
Sent from Proton Mail for Android.
-------- Original Message -------- On Wednesday, 12/03/25 at 07:24 Diana @.***> wrote:
Versty left a comment (AdguardTeam/AdguardForAndroid#5905)
@.(https://github.com/jo2dan94) Unfortunately, we don’t see any new emails from you. Could you please add 5905 to the subject line and resend it to @.?
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
I reproduced it tonight. Sending logs. It happened in Samsung browser just a random request that shouldn't have been blocked
Any update. For the easiest testing of this issue, Twitter is the best application which seems to have ssl pinning on several of its domains.
Two blocked https requests I saw today happened in brave but I didn't get a debug log.
Hello! We will add additional field in the next versions, explaining what's really happened.
@jo2dan94 I have seen your log about execution-ci360.uscellular.com - it is CDN reaction on Protect against DPI - they sometimes manage to respond with error when split ClientHello is on, part of ClientHello is already sent, and second is waiting for delay. However, it can be completely random - your may see successes to the same domain in the same log too.
@Rtizer-9 @jo2dan94 To summarize said above: this behavior isn’t a bug, but we will make adjustments to improve the indication for such events.
We’ll continue tracking this improvement internally. Thanks for the keen eye!
Thank you so much!
Sent from Proton Mail for Android.
-------- Original Message -------- On Thursday, 12/18/25 at 09:53 Sergey Fionov @.***> wrote:
sfionov left a comment (AdguardTeam/AdguardForAndroid#5905)
Hello! We will add additional field in the next versions, explaining what's really happened.
@.***(https://github.com/jo2dan94) I have seen your log about execution-ci360.uscellular.com - it is CDN reaction on Protect against DPI - they sometimes manage to respond with error when split ClientHello is on, part of ClientHello is already sent, and second is waiting for delay. However, it can be completely random - your may see successes to the same domain in the same log too.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
@sfionov @Versty I'm rooted and also make use of ssl pinning bypass modules which sometimes help but not all the time obviously.
On my ksu if "unmount modules by default" is checked, it obviously means that the adguard system certificate installed through adguardcert module won't have any effect at all on apps unless specifically given permissions by allowing modules to mount for that app.
Now even after that various apps get that error of legitimate https requests getting blocked and then I tried granting full root permissions to them to just check and sometimes they seem to work and then sometimes ssl pinning bypass modules work but not perfectly.
So if this is related to the app or a specific domain using ssl pinning then obviously it's not adguard's fault.
As you guys said - for users'convenience, the reason is of utmost importance so they're aware why the request got blocked.
Yes I agree. It is important too show in the app why these requests are being blocked.
Sent from Proton Mail for Android.
-------- Original Message -------- On Thursday, 12/18/25 at 10:25 Rtizer-9 @.***> wrote:
Rtizer-9 left a comment (AdguardTeam/AdguardForAndroid#5905)
@.(https://github.com/sfionov) @.(https://github.com/Versty) I'm rooted and also make use of ssl pinning bypass modules which sometimes help but not all the time obviously.
On my ksu if "unmount modules by default" is checked, it obviously means that the adguard system certificate installed through adguardcert module won't have any effect at all on apps unless specifically given permissions by allowing modules to mount for that app.
Now even after that various apps get that error of legitimate https requests getting blocked and then I tried granting full root permissions to them to just check and sometimes they seem to work and then sometimes ssl pinning bypass modules work but not perfectly.
So if this is related to the app or a specific domain using ssl pinning then obviously it's not adguard's fault.
As you guys said - for users'convenience, the reason is of utmost importance so they're aware why the request got blocked.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>