Fix Fake-TLS (EE mode) regression with -D domain option#26
Closed
Fix Fake-TLS (EE mode) regression with -D domain option#26
Conversation
Remove incorrect check that was rejecting 0xeeeeeeee tag when allow_only_tls flag is set. This allows EE mode (Fake-TLS + Padding) to work properly when -D domain option is specified. Co-authored-by: dvershinin <250071+dvershinin@users.noreply.github.com>
Instead of removing validation entirely, now properly validates that when -D (Fake-TLS) option is used: - DD mode (0xdddddddd - random padding only) is rejected - EE mode (0xeeeeeeee - Fake-TLS + Padding) is allowed - EF mode (0xefefefef - Fake-TLS compact) is allowed This maintains proper security validation while fixing the original bug. Co-authored-by: dvershinin <250071+dvershinin@users.noreply.github.com>
Co-authored-by: dvershinin <250071+dvershinin@users.noreply.github.com>
Co-authored-by: dvershinin <250071+dvershinin@users.noreply.github.com>
Fix Fake-TLS (EE mode) rejected when domain option specified
Co-authored-by: dvershinin <250071+dvershinin@users.noreply.github.com>
…ion-handling Fix Fake-TLS ClientHello detection to support TLS 1.2/1.3
This fix reverts the problematic changes from PR #24 and PR #25 that broke Fake-TLS connections: 1. Revert TLS ClientHello detection to original pattern: The change in PR #25 incorrectly checked the length byte instead of TLS version, which could cause detection failures. 2. Remove the tag validation check that was incorrectly rejecting EE/EF modes: - For Fake-TLS connections (C_IS_TLS set), any valid tag should be accepted - For non-TLS connections with allow_only_tls=1, connection is rejected earlier - This check was unnecessary and was causing EE mode to fail Fixes #23 Co-authored-by: dvershinin <250071+dvershinin@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix issue 23 regression in MTProxy functionality
Fix Fake-TLS (EE mode) regression with -D domain option
Dec 28, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fake-TLS connections stopped working after PR #24 and PR #25. Users confirmed it worked at f9d39fb but broke at 6f20cec.
Changes
Revert TLS ClientHello detection pattern: PR Fix Fake-TLS ClientHello detection to support TLS 1.2/1.3 #25 changed the check to incorrectly validate the length byte instead of the TLS minor version
Remove unnecessary tag validation: The check rejecting DD mode when
allow_only_tlswas set is redundant—non-TLS connections are already rejected earlier at line 1251 whenallow_only_tls=1Remove debug logging added for troubleshooting
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.