From 4011812fda5bfbce768c294ad1be5334d9569561 Mon Sep 17 00:00:00 2001
From: Alexey <247128645+axkurcom@users.noreply.github.com>
Date: Mon, 23 Feb 2026 05:48:55 +0300
Subject: [PATCH] TLS FC TTL Improvements

---
 src/proxy/handshake.rs |  1 -
 src/tls_front/cache.rs | 22 ++++++++++------------
 2 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/src/proxy/handshake.rs b/src/proxy/handshake.rs
index d96a86c..750d839 100644
--- a/src/proxy/handshake.rs
+++ b/src/proxy/handshake.rs
@@ -121,7 +121,6 @@ where
             let cached_entry = cache.get(&selected_domain).await;
             let use_full_cert_payload = cache
                 .take_full_cert_budget_for_ip(
-                    &selected_domain,
                     peer.ip(),
                     Duration::from_secs(config.censorship.tls_full_cert_ttl_secs),
                 )
diff --git a/src/tls_front/cache.rs b/src/tls_front/cache.rs
index 22b8538..15a97af 100644
--- a/src/tls_front/cache.rs
+++ b/src/tls_front/cache.rs
@@ -15,7 +15,7 @@ use crate::tls_front::types::{CachedTlsData, ParsedServerHello, TlsFetchResult};
 pub struct TlsFrontCache {
     memory: RwLock<HashMap<String, Arc<CachedTlsData>>>,
     default: Arc<CachedTlsData>,
-    full_cert_sent: RwLock<HashMap<(String, IpAddr), Instant>>,
+    full_cert_sent: RwLock<HashMap<IpAddr, Instant>>,
     disk_path: PathBuf,
 }
 
@@ -62,11 +62,10 @@ impl TlsFrontCache {
         self.memory.read().await.contains_key(domain)
     }
 
-    /// Returns true when full cert payload should be sent for (domain, client_ip)
+    /// Returns true when full cert payload should be sent for client_ip
     /// according to TTL policy.
     pub async fn take_full_cert_budget_for_ip(
         &self,
-        domain: &str,
         client_ip: IpAddr,
         ttl: Duration,
     ) -> bool {
@@ -74,7 +73,7 @@ impl TlsFrontCache {
             self.full_cert_sent
                 .write()
                 .await
-                .insert((domain.to_string(), client_ip), Instant::now());
+                .insert(client_ip, Instant::now());
             return true;
         }
 
@@ -82,8 +81,7 @@ impl TlsFrontCache {
         let mut guard = self.full_cert_sent.write().await;
         guard.retain(|_, seen_at| now.duration_since(*seen_at) < ttl);
 
-        let key = (domain.to_string(), client_ip);
-        match guard.get_mut(&key) {
+        match guard.get_mut(&client_ip) {
             Some(seen_at) => {
                 if now.duration_since(*seen_at) >= ttl {
                     *seen_at = now;
@@ -93,7 +91,7 @@ impl TlsFrontCache {
                 }
             }
             None => {
-                guard.insert(key, now);
+                guard.insert(client_ip, now);
                 true
             }
         }
@@ -223,16 +221,16 @@ mod tests {
         let ttl = Duration::from_millis(80);
 
         assert!(cache
-            .take_full_cert_budget_for_ip("example.com", ip, ttl)
+            .take_full_cert_budget_for_ip(ip, ttl)
             .await);
         assert!(!cache
-            .take_full_cert_budget_for_ip("example.com", ip, ttl)
+            .take_full_cert_budget_for_ip(ip, ttl)
             .await);
 
         tokio::time::sleep(Duration::from_millis(90)).await;
 
         assert!(cache
-            .take_full_cert_budget_for_ip("example.com", ip, ttl)
+            .take_full_cert_budget_for_ip(ip, ttl)
             .await);
     }
 
@@ -247,10 +245,10 @@ mod tests {
         let ttl = Duration::ZERO;
 
         assert!(cache
-            .take_full_cert_budget_for_ip("example.com", ip, ttl)
+            .take_full_cert_budget_for_ip(ip, ttl)
             .await);
         assert!(cache
-            .take_full_cert_budget_for_ip("example.com", ip, ttl)
+            .take_full_cert_budget_for_ip(ip, ttl)
             .await);
     }
 }