From be8fa4542c09bf9b0c668c746bc49450a555ebb4 Mon Sep 17 00:00:00 2001 From: Vladimir Dubrovin <3proxy@3proxy.ru> Date: Tue, 10 Mar 2026 13:38:09 +0300 Subject: [PATCH] SNI break (DPI bypass) added -s option to tlspr (or tls type redirect), requires TCP_NODELAY to be set auth iponly allow * parent 1000 tls 0.0.0.0 0 allow * proxy -s -i127.0.0.1 -ocTCP_NODELAY -osTCP_NODELAY -p1443 --- src/tlspr.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/src/tlspr.c b/src/tlspr.c index 1aecb72..022a550 100644 --- a/src/tlspr.c +++ b/src/tlspr.c @@ -38,7 +38,7 @@ int readtls(struct clientparam *param, int direction, unsigned char *buf, int bu #define PROTOLEN (32) -int parsehello(int type, unsigned char *hello, int len, char *sni, int *lv, char * proto){ +int parsehello(int type, unsigned char *hello, int len, char *sni, int * snipos, int *lv, char * proto){ int hlen; unsigned offset; int slen; @@ -86,6 +86,7 @@ int parsehello(int type, unsigned char *hello, int len, char *sni, int *lv, char if(snlen + 3 > snllen) return -14; if(snlen+1 > SNILEN) return -15; memcpy(sni, hello + offset + 9, snlen); + *snipos = offset + 9; sni[snlen] = 0; snifound = snlen; } @@ -178,6 +179,7 @@ void * tlsprchild(struct clientparam* param) { char req[SNILEN+PROTOLEN+16]; int lv=-1; char proto[PROTOLEN]="-"; + int snipos = 0; res = tlstobufcli(param, 0); if(res <= 0 || param->clibuf[0] != 22){ @@ -185,7 +187,7 @@ void * tlsprchild(struct clientparam* param) { } else { lv = param->clibuf[2]; - res = parsehello(1, param->clibuf, res, sni, &lv, proto); + res = parsehello(1, param->clibuf, res, sni, &snipos, &lv, proto); if(res > 0){ if(param->hostname){ myfree(param->hostname); @@ -193,6 +195,16 @@ void * tlsprchild(struct clientparam* param) { } else if (parsehostname(sni, param, param->srv->targetport? ntohs(param->srv->targetport):443)) RETURN (100); if (!param->hostname)param->hostname = (unsigned char *)mystrdup(sni); + if(param->srv->singlepacket && snipos && res > 1){ + int len; + + len = socksend(param, param->remsock, param->clibuf+param->clioffset,snipos + (res/2), conf.timeouts[STRING_S]); + if(len != snipos + (res/2)){ + RETURN(310); + } + param->clioffset += snipos + (res/2); + + } } else if (res < 0 && param->srv->requirecert) RETURN(310-res); } @@ -216,7 +228,7 @@ void * tlsprchild(struct clientparam* param) { res = tlstobufsrv(param, 0); if(res <= 0 || param->srvbuf[0] != 22) RETURN(340-res); lv = param->srvbuf[2]; - res = parsehello(2, param->srvbuf, res, sni, &lv, proto); + res = parsehello(2, param->srvbuf, res, sni, &snipos, &lv, proto); if (res < 0) RETURN(350-res); } if(param->srv->requirecert > 2){