AsamK
Error: Unable to send messages to new numbers when using web proxy - Full CDSI refresh failed
This issue is related to the following: https://github.com/AsamK/signal-cli/issues/1523 which was marked as resolved since v0.13.13 with the introduction of Proxy support "Fix check for registered users with a proxy"
Unfortunately in my case, the issue persists.
My setup is the following (simplified lab environment):
- Signal CLI v0.13.15 (latest at this time)
- Proxy: Squid Proxy allowing all, no filtering.
- Server with no internet access, only way out is though proxy.
- Java openjdk version "21.0.6" 2025-01-21 LTS
When trying to send message to a new contact, not yet in recipients list:
# Set proxy
export JAVA_OPTS="-Dhttp.proxyHost=proxy.mydomain.lan -Dhttp.proxyPort=3128 -Dhttps.proxyHost=proxy.mydomain.lan -Dhttps.proxyPort=3128"
# Send message to NEW contact => fails
signal-cli --verbose -u +xxxxxxxxxx send -m "Simple test" +yyyyyyyyyyy
The output is still the same:
2025-04-22T23:19:35.052+0200 [pool-2-thread-1] WARN o.a.s.m.jobs.RefreshRecipientsJob - Full CDSI recipients refresh failed, ignoring: connect timed out (NetworkException)
2025-04-22T23:19:35.053+0200 [pool-2-thread-1] DEBUG o.a.s.m.jobs.RefreshRecipientsJob - Full CDSI refresh failed
Proxy access logs, single line, no denied:
1745356593.916 1233 192.168.1.165 TCP_TUNNEL/200 4123 CONNECT chat.signal.org:443 - HIER_DIRECT/76.223.92.165 -
Observed behavior: when not specifying proxy in JAVA_OPTS, there is a timeout after 10 secs. So Signal-cli is trying before giving up. Which is to be expected, as no proxy specified.
When proxy is set, it connects instantly, but a few steps later when checking the new recipient, the failure is immediate. As soon as it tries to contact CDSi, the timeout error occurs instantly.
Is setting the proxy in the JAVA_OPTS (SIGNAL_CLI_OPTS) sufficient? Or it there also an extra config that I am missing?
Thanks,
The issue was closed but the problem persists for us and for anyone that uses a proxy.
Ah ok, thanks for the information. I was not sure if something was missing in the JAVA_OPTS proxy settings.
There have been some changes lately, either in the signal-cli or libsignal library.
Proxy is logging direct requests to the following IP:
40.122.45.194
This corresponds to cdsi.signal.org
Direct IP request were not present before, this is better indeed, but still...
The Signal-CLI (or the libsignal) does DNS lookup of the following address: cdsi.signal.org => 40.122.45.194
This is done locally on the client side prior contacting the proxy. Strangely this is not the case for other URL's (chat.signal.org for instance). (Checked via tcpdump on the client)
If the proxy has ACL authorizing only the usual domains *0.signal.org, whispersystems.org, etc... This won't be enough. Adding 40.122.45.194 to the whitelist solves the Full CDSI refresh failed error.
The next step would be to fix and avoid the client to do this self DNS lookup prior sending requests to proxy. How to prevent cdsi.signal.org to be resolved by the client when using proxy... ?
Looks like there's an option in libsignal-clietn to resolve hostnames locally or remotely by the proxy. But it's hard coded to resolve locally... https://github.com/signalapp/libsignal/blob/main/rust/net/infra/src/route/proxy.rs#L216
This appears to have been changed in libsignal 0.81.0: https://github.com/signalapp/libsignal/commit/15d18cab82be1013ba610e9a2084bd05d268681b So with the next signal-cli release the dns lookup should be deferred to the proxy.
There'll be a new release in the next few days. Can you test if your proxy configuration now works with the latest development build? https://github.com/AsamK/signal-cli/actions/runs/17839744334
It seems that the new version fixed the problems that existed via proxy. Thank you for all the help