Fix Fake-TLS (EE mode) not working with -D option

Copilot · dvershinin · Copilot · commit cc93e530c9c1 · 2025-12-28T18:12:39.000Z
This fix reverts the problematic changes from PR #24 and PR #25 that broke Fake-TLS connections: 1. Revert TLS ClientHello detection to original pattern: The change in PR #25 incorrectly checked the length byte instead of TLS version, which could cause detection failures. 2. Remove the tag validation check that was incorrectly rejecting EE/EF modes: - For Fake-TLS connections (C_IS_TLS set), any valid tag should be accepted - For non-TLS connections with allow_only_tls=1, connection is rejected earlier - This check was unnecessary and was causing EE mode to fail Fixes #23 Co-authored-by: dvershinin <250071+dvershinin@users.noreply.github.com>
diff --git a/net/net-tcp-rpc-ext-server.c b/net/net-tcp-rpc-ext-server.c
@@ -1043,8 +1043,6 @@ int tcp_rpcs_compact_parse_execute (connection_job_t C) {
 
     if (D->in_packet_num == -3) {
       vkprintf (1, "trying to determine type of connection from %s:%d\n", show_remote_ip (C), c->remote_port);
-      vkprintf (2, "packet_len=0x%08x, ext_secret_cnt=%d, allow_only_tls=%d, C_IS_TLS=%d\n", 
-                packet_len, ext_secret_cnt, allow_only_tls, !!(c->flags & C_IS_TLS));
 #if __ALLOW_UNOBFS__
       if ((packet_len & 0xff) == 0xef) {
         D->flags |= RPC_F_COMPACT;
@@ -1112,9 +1110,7 @@ int tcp_rpcs_compact_parse_execute (connection_job_t C) {
         assert (rwm_fetch_lookup (&c->in, &packet_len, 4) == 4);
 
         c->left_tls_packet_length -= 64; // skip header length
-      } else if ((packet_len & 0xFF) == 0x16 && ((packet_len >> 8) & 0xFF) == 0x03 && (packet_len >> 24) >= 2 && ext_secret_cnt > 0 && allow_only_tls) {
-        // TLS ClientHello detection: 0x16 (handshake), 0x03 (SSL/TLS version major), any minor version (0x01=TLS1.0, 0x03=TLS1.2/1.3)
-        vkprintf (2, "Detected TLS ClientHello: packet_len=0x%08x, version=0x03%02x\n", packet_len, (packet_len >> 16) & 0xFF);
+      } else if ((packet_len & 0xFFFFFF) == 0x010316 && (packet_len >> 24) >= 2 && ext_secret_cnt > 0 && allow_only_tls) {
         unsigned char header[5];
         assert (rwm_fetch_lookup (&c->in, header, 5) == 5);
         min_len = 5 + 256 * header[3] + header[4];
@@ -1319,10 +1315,6 @@ int tcp_rpcs_compact_parse_execute (connection_job_t C) {
         unsigned tag = *(unsigned *)(random_header + 56);
 
         if (tag == 0xdddddddd || ((tag == 0xeeeeeeee || tag == 0xefefefef) && !ext_rand_pad_only)) {
-          if (tag == 0xdddddddd && allow_only_tls) {
-            vkprintf (1, "Expected Fake-TLS mode (EE/EF), got random padding mode (DD)\n");
-            RETURN_TLS_ERROR(default_domain_info);
-          }
           assert (rwm_skip_data (&c->in, 64) == 64);
           rwm_union (&c->in_u, &c->in);
           rwm_init (&c->in, 0);
