TLS Validator

Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
2026-04-17 02:24:10 +03:00 · 2026-03-23 21:58:39 +03:00
parent bb71de0230
commit 8db566dbe9
6 changed files with 187 additions and 13 deletions
--- a/src/config/load.rs
+++ b/src/config/load.rs
@@ -1267,6 +1267,10 @@ mod tests {
            cfg.server.proxy_protocol_trusted_cidrs,
            default_proxy_protocol_trusted_cidrs()
        );
+        assert_eq!(
+            cfg.censorship.unknown_sni_action,
+            UnknownSniAction::Drop
+        );
        assert_eq!(cfg.server.api.listen, default_api_listen());
        assert_eq!(cfg.server.api.whitelist, default_api_whitelist());
        assert_eq!(
@@ -1403,6 +1407,10 @@ mod tests {
            server.proxy_protocol_trusted_cidrs,
            default_proxy_protocol_trusted_cidrs()
        );
+        assert_eq!(
+            AntiCensorshipConfig::default().unknown_sni_action,
+            UnknownSniAction::Drop
+        );
        assert_eq!(server.api.listen, default_api_listen());
        assert_eq!(server.api.whitelist, default_api_whitelist());
        assert_eq!(
@@ -1473,6 +1481,34 @@ mod tests {
        );
    }

+    #[test]
+    fn unknown_sni_action_parses_and_defaults_to_drop() {
+        let cfg_default: ProxyConfig = toml::from_str(
+            r#"
+            [server]
+            [general]
+            [network]
+            [access]
+            [censorship]
+            "#,
+        )
+        .unwrap();
+        assert_eq!(cfg_default.censorship.unknown_sni_action, UnknownSniAction::Drop);
+
+        let cfg_mask: ProxyConfig = toml::from_str(
+            r#"
+            [server]
+            [general]
+            [network]
+            [access]
+            [censorship]
+            unknown_sni_action = "mask"
+            "#,
+        )
+        .unwrap();
+        assert_eq!(cfg_mask.censorship.unknown_sni_action, UnknownSniAction::Mask);
+    }
+
    #[test]
    fn dc_overrides_allow_string_and_array() {
        let toml = r#"
--- a/src/config/types.rs
+++ b/src/config/types.rs
@@ -1359,6 +1359,14 @@ impl Default for TimeoutsConfig {
    }
 }

+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum UnknownSniAction {
+    #[default]
+    Drop,
+    Mask,
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct AntiCensorshipConfig {
    #[serde(default = "default_tls_domain")]
@@ -1368,6 +1376,10 @@ pub struct AntiCensorshipConfig {
    #[serde(default)]
    pub tls_domains: Vec<String>,

+    /// Policy for TLS ClientHello with unknown (non-configured) SNI.
+    #[serde(default)]
+    pub unknown_sni_action: UnknownSniAction,
+
    /// Upstream scope used for TLS front metadata fetches.
    /// Empty value keeps default upstream routing behavior.
    #[serde(default = "default_tls_fetch_scope")]
@@ -1478,6 +1490,7 @@ impl Default for AntiCensorshipConfig {
        Self {
            tls_domain: default_tls_domain(),
            tls_domains: Vec::new(),
+            unknown_sni_action: UnknownSniAction::Drop,
            tls_fetch_scope: default_tls_fetch_scope(),
            mask: default_true(),
            mask_host: None,