Update Cargo.toml

Merge pull request #210 from telemt/flow
TLS Full Certificate
2026-04-15 09:34:10 +03:00 · 2026-02-23 06:04:36 +03:00 · 2026-02-23 05:57:58 +03:00 · 2026-02-23 05:55:17 +03:00 · 2026-02-23 05:48:55 +03:00 · 2026-02-23 05:47:44 +03:00
46 changed files with 4683 additions and 605 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,8 +3,8 @@ name: Release
 on:
  push:
    tags:
-      - '[0-9]+.[0-9]+.[0-9]+'  # Matches tags like 3.0.0, 3.1.2, etc.
+      - '[0-9]+.[0-9]+.[0-9]+' # Matches tags like 3.0.0, 3.1.2, etc.
-  workflow_dispatch:  # Manual trigger from GitHub Actions UI
+  workflow_dispatch: # Manual trigger from GitHub Actions UI
 permissions:
  contents: read
@@ -84,6 +84,32 @@ jobs:
            target/${{ matrix.target }}/release/${{ matrix.asset_name }}.tar.gz
            target/${{ matrix.target }}/release/${{ matrix.asset_name }}.sha256
  build-docker-image:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.TOKEN_GH_DEPLOY }}
      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
          tags: ${{ github.ref }}
  release:
    name: Create Release
    needs: build
@@ -108,17 +134,17 @@ jobs:
          # Extract version from tag (remove 'v' prefix if present)
          VERSION="${GITHUB_REF#refs/tags/}"
          VERSION="${VERSION#v}"
-          
+
          # Install cargo-edit for version bumping
          cargo install cargo-edit
-          
+
          # Update Cargo.toml version
          cargo set-version "$VERSION"
-          
+
          # Configure git
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
-          
+
          # Commit and push changes
          #git add Cargo.toml Cargo.lock
          #git commit -m "chore: bump version to $VERSION" || echo "No changes to commit"
--- a/AGENTS_SYSTEM_PROMT.md
+++ b/AGENTS_SYSTEM_PROMT.md
@@ -1,6 +1,7 @@
 ## System Prompt — Production Rust Codebase: Modification and Architecture Guidelines
-You are a senior Rust systems engineer acting as a strict code reviewer and implementation partner. Your responses are precise, minimal, and architecturally sound. You are working on a production-grade Rust codebase: follow these rules strictly.
+You are a senior Rust Engineer and pricipal Rust Architect acting as a strict code reviewer and implementation partner. 
 Your responses are precise, minimal, and architecturally sound. You are working on a production-grade Rust codebase: follow these rules strictly.
 ---
@@ -32,6 +33,11 @@ The user can override this behavior with explicit commands:
 - `"Make minimal changes"` — no coordinated fixes, narrowest possible diff.
 - `"Fix everything"` — apply all coordinated fixes and out-of-scope observations.
 ### Core Rule
 The codebase must never enter an invalid intermediate state.
 No response may leave the repository in a condition that requires follow-up fixes.
 ---
 ### 1. Comments and Documentation
@@ -131,16 +137,32 @@ You MUST:
 - Document non-obvious logic with comments that describe *why*, not *what*.
 - Limit changes strictly to the requested scope (plus coordinated fixes per Section 0).
 - Keep all existing symbol names unless renaming is explicitly requested.
- Preserve global formatting as-is.
+- Preserve global formatting as-is
 - Result every modification in a self-contained, compilable, runnable state of the codebase
 You MUST NOT:
- Use placeholders: no `// ... rest of code`, no `// implement here`, no `/* TODO */` stubs that replace existing working code. Write full, working implementation. If the implementation is unclear, ask first.
+- Use placeholders: no `// ... rest of code`, no `// implement here`, no `/* TODO */` stubs that replace existing working code. Write full, working implementation. If the implementation is unclear, ask first
- Refactor code outside the requested scope.
+- Refactor code outside the requested scope
- Make speculative improvements.
+- Make speculative improvements
 - Spawn multiple agents for EDITING
 - Produce partial changes
 - Introduce references to entities that are not yet implemented
 - Leave TODO placeholders in production paths
 Note: `todo!()` and `unimplemented!()` are allowed as idiomatic Rust markers for genuinely unfinished code paths.
 Every change must:
   - compile,
   - pass type checks,
   - have no broken imports,
   - preserve invariants,
   - not rely on future patches.
 If the task requires multiple phases:
   - either implement all required phases,
   - or explicitly refuse and explain missing dependencies.
 ---
 ### 8. Decision Process for Complex Changes
@@ -160,6 +182,7 @@ When facing a non-trivial modification, follow this sequence:
 - When provided with partial code, assume the rest of the codebase exists and functions correctly unless stated otherwise.
 - Reference existing types, functions, and module structures by their actual names as shown in the provided code.
 - When the provided context is insufficient to make a safe change, request the missing context explicitly.
 - Spawn multiple agents for SEARCHING information, code, functions
 ---
@@ -167,14 +190,14 @@ When facing a non-trivial modification, follow this sequence:
 #### Language Policy
- Code, comments, commit messages, documentation: **English**.
+- Code, comments, commit messages, documentation ONLY ON **English**!
- Reasoning and explanations in response text: **Russian**.
+- Reasoning and explanations in response text on language from promt
 #### Response Structure
 Your response MUST consist of two sections:
-**Section 1: `## Reasoning` (in Russian)**
+**Section 1: `## Reasoning`**
 - What needs to be done and why.
 - Which files and modules are affected.
@@ -205,3 +228,183 @@ If the response exceeds the output limit:
 2. List the files that will be provided in subsequent parts.
 3. Wait for user confirmation before continuing.
 4. No single file may be split across parts.
 ## 11. Anti-LLM Degeneration Safeguards (Principal-Paranoid, Visionary)
 This section exists to prevent common LLM failure modes: scope creep, semantic drift, cargo-cult refactors, performance regressions, contract breakage, and hidden behavior changes.
 ### 11.1 Non-Negotiable Invariants
 - **No semantic drift:** Do not reinterpret requirements, rename concepts, or change meaning of existing terms.
 - **No “helpful refactors”:** Any refactor not explicitly requested is forbidden.
 - **No architectural drift:** Do not introduce new layers, patterns, abstractions, or “clean architecture” migrations unless requested.
 - **No dependency drift:** Do not add crates, features, or versions unless explicitly requested.
 - **No behavior drift:** If a change could alter runtime behavior, you MUST call it out explicitly in `## Reasoning` and justify it.
 ### 11.2 Minimal Surface Area Rule
 - Touch the smallest number of files possible.
 - Prefer local changes over cross-cutting edits.
 - Do not “align style” across a file/module—only adjust the modified region.
 - Do not reorder items, imports, or code unless required for correctness.
 ### 11.3 No Implicit Contract Changes
 Contracts include:
 - public APIs, trait bounds, visibility, error types, timeouts/retries, logging semantics, metrics semantics,
 - protocol formats, framing, padding, keepalive cadence, state machine transitions,
 - concurrency guarantees, cancellation behavior, backpressure behavior.
 Rule:
 - If you change a contract, you MUST update all dependents in the same patch AND document the contract delta explicitly.
 ### 11.4 Hot-Path Preservation (Performance Paranoia)
 - Do not introduce extra allocations, cloning, or formatting in hot paths.
 - Do not add logging/metrics on hot paths unless requested.
 - Do not add new locks or broaden lock scope.
 - Prefer `&str` / slices / borrowed data where the codebase already does so.
 - Avoid `String` building for errors/logs if it changes current patterns.
 If you cannot prove performance neutrality, label it as risk in `## Reasoning`.
 ### 11.5 Async / Concurrency Safety (Cancellation & Backpressure)
 - No blocking calls inside async contexts.
 - Preserve cancellation safety: do not introduce `await` between lock acquisition and critical invariants unless already present.
 - Preserve backpressure: do not replace bounded channels with unbounded, do not remove flow control.
 - Do not change task lifecycle semantics (spawn patterns, join handles, shutdown order) unless requested.
 - Do not introduce `tokio::spawn` / background tasks unless explicitly requested.
 ### 11.6 Error Semantics Integrity
 - Do not replace structured errors with generic strings.
 - Do not widen/narrow error types or change error categories without explicit approval.
 - Avoid introducing panics in production paths (`unwrap`, `expect`) unless the codebase already treats that path as impossible and documented.
 ### 11.7 “No New Abstractions” Default
 Default stance:
 - No new traits, generics, macros, builder patterns, type-level cleverness, or “frameworking”.
 - If abstraction is necessary, prefer the smallest possible local helper (private function) and justify it.
 ### 11.8 Negative-Diff Protection
 Avoid “diff inflation” patterns:
 - mass edits,
 - moving code between files,
 - rewrapping long lines,
 - rearranging module order,
 - renaming for aesthetics.
 If a diff becomes large, STOP and ask before proceeding.
 ### 11.9 Consistency with Existing Style (But Not Style Refactors)
 - Follow existing conventions of the touched module (naming, error style, return patterns).
 - Do not enforce global “best practices” that the codebase does not already use.
 ### 11.10 Two-Phase Safety Gate (Plan → Patch)
 For non-trivial changes:
 1) Provide a micro-plan (1–5 bullets): what files, what functions, what invariants, what risks.
 2) Implement exactly that plan—no extra improvements.
 ### 11.11 Pre-Response Checklist (Hard Gate)
 Before final output, verify internally:
 - No unresolved symbols / broken imports.
 - No partially updated call sites.
 - No new public surface changes unless requested.
 - No transitional states / TODO placeholders replacing working code.
 - Changes are atomic: the repository remains buildable and runnable.
 - Any behavior change is explicitly stated.
 If any check fails: fix it before responding.
 ### 11.12 Truthfulness Policy (No Hallucinated Claims)
 - Do not claim “this compiles” or “tests pass” unless you actually verified with the available tooling/context.
 - If verification is not possible, state: “Not executed; reasoning-based consistency check only.”
 ### 11.13 Visionary Guardrail: Preserve Optionality
 When multiple valid designs exist, prefer the one that:
 - minimally constrains future evolution,
 - preserves existing extension points,
 - avoids locking the project into a new paradigm,
 - keeps interfaces stable and implementation local.
 Default to reversible changes.
 ### 11.14 Stop Conditions
 STOP and ask targeted questions if:
 - required context is missing,
 - a change would cross module boundaries,
 - a contract might change,
 - concurrency/protocol invariants are unclear,
 - the diff is growing beyond a minimal patch.
 No guessing.
 ### 12. Invariant Preservation
 You MUST explicitly preserve:
 - Thread-safety guarantees (`Send` / `Sync` expectations).
 - Memory safety assumptions (no hidden `unsafe` expansions).
 - Lock ordering and deadlock invariants.
 - State machine correctness (no new invalid transitions).
 - Backward compatibility of serialized formats (if applicable).
 If a change touches concurrency, networking, protocol logic, or state machines,
 you MUST explain why existing invariants remain valid.
 ### 13. Error Handling Policy
 - Do not replace structured errors with generic strings.
 - Preserve existing error propagation semantics.
 - Do not widen or narrow error types without approval.
 - Avoid introducing panics in production paths.
 - Prefer explicit error mapping over implicit conversions.
 ### 14. Test Safety
 - Do not modify existing tests unless the task explicitly requires it.
 - Do not weaken assertions.
 - Preserve determinism in testable components.
 ### 15. Security Constraints
 - Do not weaken cryptographic assumptions.
 - Do not modify key derivation logic without explicit request.
 - Do not change constant-time behavior.
 - Do not introduce logging of secrets.
 - Preserve TLS/MTProto protocol correctness.
 ### 16. Logging Policy
 - Do not introduce excessive logging in hot paths.
 - Do not log sensitive data.
 - Preserve existing log levels and style.
 ### 17. Pre-Response Verification Checklist
 Before producing the final answer, verify internally:
 - The change compiles conceptually.
 - No unresolved symbols exist.
 - All modified call sites are updated.
 - No accidental behavioral changes were introduced.
 - Architectural boundaries remain intact.
 ### 18. Atomic Change Principle
 Every patch must be **atomic and production-safe**.
 * **Self-contained** — no dependency on future patches or unimplemented components.
 * **Build-safe** — the project must compile successfully after the change.
 * **Contract-consistent** — no partial interface or behavioral changes; all dependent code must be updated within the same patch.
 * **No transitional states** — no placeholders, incomplete refactors, or temporary inconsistencies.
 **Invariant:** After any single patch, the repository remains fully functional and buildable.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,5 +1,14 @@
-## Pull Requests - Rules
+# Pull Requests - Rules
 ## General
 - ONLY signed and verified commits
 - ONLY from your name
 - DO NOT commit with `codex` or `claude` as author/commiter
 - PREFER `flow` branch for development, not `main`
 ## AI
 We are not against modern tools, like AI, where you act as a principal or architect, but we consider it important:
 - you really understand what you're doing
 - you understand the relationships and dependencies of the components being modified
 - you understand the architecture of Telegram MTProto, MTProxy, Middle-End KDF at least generically
 - you DO NOT commit for the sake of commits, but to help the community, core-developers and ordinary users
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "telemt"
-version = "3.0.4"
+version = "3.0.11"
 edition = "2024"
 [dependencies]
@@ -20,15 +20,18 @@ sha1 = "0.10"
 md-5 = "0.10"
 hmac = "0.12"
 crc32fast = "1.4"
 crc32c = "0.6"
 zeroize = { version = "1.8", features = ["derive"] }
 # Network
 socket2 = { version = "0.5", features = ["all"] }
 nix = { version = "0.28", default-features = false, features = ["net"] }
 # Serialization
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 toml = "0.8"
 x509-parser = "0.15"
 # Utils
 bytes = "1.9"
@@ -47,13 +50,19 @@ regex = "1.11"
 crossbeam-queue = "0.3"
 num-bigint = "0.4"
 num-traits = "0.2"
 anyhow = "1.0"
 # HTTP
 reqwest = { version = "0.12", features = ["rustls-tls"], default-features = false }
 notify = { version = "6", features = ["macos_fsevent"] }
 ipnetwork = "0.20"
 hyper = { version = "1", features = ["server", "http1"] }
 hyper-util = { version = "0.1", features = ["tokio", "server-auto"] }
 http-body-util = "0.1"
 httpdate = "1.0"
 tokio-rustls = { version = "0.26", default-features = false, features = ["tls12"] }
 rustls = { version = "0.23", default-features = false, features = ["std", "tls12", "ring"] }
 webpki-roots = "0.26"
 [dev-dependencies]
 tokio-test = "0.4"
--- a/README.md
+++ b/README.md
@@ -10,41 +10,77 @@
 ### 🇷🇺 RU
-18 февраля мы опубликовали `telemt 3.0.3`, он имеет:
+#### Драфтинг LTS и текущие улучшения
- улучшенный механизм Middle-End Health Check
+С 21 февраля мы начали подготовку LTS-версии.
 - высокоскоростное восстановление инициализации Middle-End
 - меньше задержек на hot-path
 - более корректную работу в Dualstack, а именно - IPv6 Middle-End
 - аккуратное переподключение клиента без дрифта сессий между Middle-End
 - автоматическая деградация на Direct-DC при массовой (>2 ME-DC-групп) недоступности Middle-End
 - автодетект IP за NAT, при возможности - будет выполнен хендшейк с ME, при неудаче - автодеградация
 - единственный известный специальный DC=203 уже добавлен в код: медиа загружаются с CDN в Direct-DC режиме
-[Здесь вы можете найти релиз](https://github.com/telemt/telemt/releases/tag/3.0.3)
+Мы внимательно анализируем весь доступный фидбек.  
 Наша цель — сделать LTS-кандидаты максимально стабильными, тщательно отлаженными и готовыми к long-run и highload production-сценариям.
-Если у вас есть компетенции в асинхронных сетевых приложениях, анализе трафика, реверс-инжиниринге или сетевых расследованиях - мы открыты к идеям и pull requests!
+---
 #### Улучшения от 23 февраля
 23 февраля были внесены улучшения производительности в режимах **DC** и **Middle-End (ME)**, с акцентом на обратный канал (путь клиент → DC / ME).
 Дополнительно реализован ряд изменений, направленных на повышение устойчивости системы:
 - Смягчение сетевой нестабильности  
 - Повышение устойчивости к десинхронизации криптографии  
 - Снижение дрейфа сессий при неблагоприятных условиях  
 - Улучшение обработки ошибок в edge-case транспортных сценариях  
 Релиз:  
 [3.0.9](https://github.com/telemt/telemt/releases/tag/3.0.9)
 ---
 Если у вас есть компетенции в:
 - Асинхронных сетевых приложениях  
 - Анализе трафика  
 - Реверс-инжиниринге  
 - Сетевых расследованиях  
 Мы открыты к архитектурным предложениям, идеям и pull requests
 </td>
 <td width="50%" valign="top">
 ### 🇬🇧 EN
-On February 18, we released `telemt 3.0.3`. This version introduces:
+#### LTS Drafting and Ongoing Improvements
- improved Middle-End Health Check method  
+Starting February 21, we began drafting the upcoming LTS version.
 - high-speed recovery of Middle-End init
 - reduced latency on the hot path  
 - correct Dualstack support: proper handling of IPv6 Middle-End  
 - *clean* client reconnection without session "drift" between Middle-End
 - automatic degradation to Direct-DC mode in case of large-scale (>2 ME-DC groups) Middle-End unavailability  
 - automatic public IP detection behind NAT; first - Middle-End handshake is performed, otherwise automatic degradation is applied  
 - known special DC=203 is now handled natively: media is delivered from the CDN via Direct-DC mode  
-[Release is available here](https://github.com/telemt/telemt/releases/tag/3.0.3)
+We are carefully reviewing and analyzing all available feedback.  
 The goal is to ensure that LTS candidates are максимально stable, thoroughly debugged, and ready for long-run and high-load production scenarios.
-If you have expertise in asynchronous network applications, traffic analysis, reverse engineering, or network forensics - we welcome ideas and pull requests!
+---
 #### February 23 Improvements
 On February 23, we introduced performance improvements for both **DC** and **Middle-End (ME)** modes, specifically optimizing the reverse channel (client → DC / ME data path).
 Additionally, we implemented a set of robustness enhancements designed to:
 - Mitigate network-related instability
 - Improve resilience against cryptographic desynchronization
 - Reduce session drift under adverse conditions
 - Improve error handling in edge-case transport scenarios
 Release:  
 [3.0.9](https://github.com/telemt/telemt/releases/tag/3.0.9)
 ---
 If you have expertise in:
 - Asynchronous network applications  
 - Traffic analysis  
 - Reverse engineering  
 - Network forensics  
 We welcome ideas, architectural feedback, and pull requests.
 </td>
 </tr>
 </table>
@@ -95,7 +131,7 @@ If you have expertise in asynchronous network applications, traffic analysis, re
 **This software is designed for Debian-based OS: in addition to Debian, these are Ubuntu, Mint, Kali, MX and many other Linux**
 1. Download release
 ```bash
-wget https://github.com/telemt/telemt/releases/latest/download/telemt
+wget -qO- "https://github.com/telemt/telemt/releases/latest/download/telemt-$(uname -m)-linux-$(ldd --version 2>&1 | grep -iq musl && echo musl || echo gnu).tar.gz" | tar -xz
 ```
 2. Move to Bin Folder
 ```bash
@@ -178,101 +214,21 @@ then Ctrl+X -> Y -> Enter to save
 ```toml
 # === General Settings ===
 [general]
-# prefer_ipv6 is deprecated; use [network].prefer
+# ad_tag = "00000000000000000000000000000000"
 prefer_ipv6 = false
 fast_mode = true
 use_middle_proxy = false
 # ad_tag = "..."
 # disable_colors = false  # Disable colored output in logs (useful for files/systemd)
 [network]
 ipv4 = true
 ipv6 = true   # set false to disable, omit for auto
 prefer = 4    # 4 or 6
 multipath = false
 [general.modes]
 classic = false
 secure = false
 tls = true
 # === Server Binding ===
 [server]
 port = 443
 listen_addr_ipv4 = "0.0.0.0"
 listen_addr_ipv6 = "::"
 # metrics_port = 9090
 # metrics_whitelist = ["127.0.0.1", "::1"]
 # Listen on multiple interfaces/IPs (overrides listen_addr_*)
 [[server.listeners]]
 ip = "0.0.0.0"
 # announce = "my.hostname.tld" # Optional: hostname for tg:// links
 # OR
 # announce = "1.2.3.4" # Optional: Public IP for tg:// links
 [[server.listeners]]
 ip = "::"
 # Users to show in the startup log (tg:// links)
 [general.links]
 show = ["hello"]          # Only show links for user "hello"
 # show = ["alice", "bob"] # Only show links for alice and bob
 # show = "*"              # Show links for all users
 # public_host = "proxy.example.com"  # Host (IP or domain) for tg:// links
 # public_port = 443                  # Port for tg:// links (default: server.port)
 # === Timeouts (in seconds) ===
 [timeouts]
 client_handshake = 15
 tg_connect = 10
 client_keepalive = 60
 client_ack = 300
 # === Anti-Censorship & Masking ===
 [censorship]
 tls_domain = "petrovich.ru"
 mask = true
 mask_port = 443
 # mask_host = "petrovich.ru" # Defaults to tls_domain if not set
 # mask_unix_sock = "/var/run/nginx.sock" # Unix socket (mutually exclusive with mask_host)
 fake_cert_len = 2048
 # === Access Control & Users ===
 # username "hello" is used for example
 [access]
 replay_check_len = 65536
 ignore_time_skew = false
 [access.users]
 # format: "username" = "32_hex_chars_secret"
 hello = "00000000000000000000000000000000"
 # [access.user_max_tcp_conns]
 # hello = 50
 # [access.user_data_quota]
 # hello = 1073741824 # 1 GB
 # === Upstreams & Routing ===
 # By default, direct connection is used, but you can add SOCKS proxy
 # Direct - Default
 [[upstreams]]
 type = "direct"
 enabled = true
 weight = 10
 # SOCKS5
 # [[upstreams]]
 # type = "socks5"
 # address = "127.0.0.1:9050"
 # enabled = false
 # weight = 1
 # === DC Address Overrides ===
 # [dc_overrides]
 # "203" = "91.105.192.100:443"
 ```
 ### Advanced
 #### Adtag
--- a/config.toml
+++ b/config.toml
@@ -1,16 +1,21 @@
 # === General Settings ===
 [general]
 # prefer_ipv6 is deprecated; use [network].prefer instead
 prefer_ipv6 = false
 fast_mode = true
 use_middle_proxy = true
-#ad_tag = "00000000000000000000000000000000"
+# ad_tag = "00000000000000000000000000000000"
 # Path to proxy-secret binary (auto-downloaded if missing).
 proxy_secret_path = "proxy-secret"
 # disable_colors = false  # Disable colored output in logs (useful for files/systemd)
-# === Middle Proxy (ME) ===
+# === Log Level ===
 # Log level: debug | verbose | normal | silent
 # Can be overridden with --silent or --log-level CLI flags
 # RUST_LOG env var takes absolute priority over all of these
 log_level = "normal"
 # === Middle Proxy - ME ===
 # Public IP override for ME KDF when behind NAT; leave unset to auto-detect.
-#middle_proxy_nat_ip = "203.0.113.10"
+# middle_proxy_nat_ip = "203.0.113.10"
 # Enable STUN probing to discover public IP:port for ME.
 middle_proxy_nat_probe = true
 # Primary STUN server (host:port); defaults to Telegram STUN when empty.
@@ -38,24 +43,27 @@ me_reconnect_backoff_base_ms = 500        # Backoff start
 me_reconnect_backoff_cap_ms = 30000       # Backoff cap
 me_reconnect_fast_retry_count = 11        # Quick retries before backoff
 [network]
 # Enable/disable families; ipv6 = true/false/auto(None)
 ipv4 = true
 ipv6 = true
 # prefer = 4 or 6
 prefer = 4
 multipath = false
 # Log level: debug | verbose | normal | silent
 # Can be overridden with --silent or --log-level CLI flags
 # RUST_LOG env var takes absolute priority over all of these
 log_level = "normal"
 [general.modes]
 classic = false
 secure = false
 tls = true
 [general.links]
 show = "*"
 # show = ["alice", "bob"] # Only show links for alice and bob
 # show = "*"              # Show links for all users
 # public_host = "proxy.example.com"  # Host (IP or domain) for tg:// links
 # public_port = 443                  # Port for tg:// links (default: server.port)
 # === Network Parameters ===
 [network]
 # Enable/disable families: true/false/auto(None)
 ipv4 = true
 ipv6 = false # UNSTABLE WITH ME
 # prefer = 4 or 6
 prefer = 4
 multipath = false # EXPERIMENTAL!
 # === Server Binding ===
 [server]
 port = 443
@@ -63,23 +71,18 @@ listen_addr_ipv4 = "0.0.0.0"
 listen_addr_ipv6 = "::"
 # listen_unix_sock = "/var/run/telemt.sock" # Unix socket
 # listen_unix_sock_perm = "0666" # Socket file permissions
 # proxy_protocol = false           # Enable if behind HAProxy/nginx with PROXY protocol
 # metrics_port = 9090
 # metrics_whitelist = ["127.0.0.1", "::1"]
-# Listen on multiple interfaces/IPs (overrides listen_addr_*)
+# Listen on multiple interfaces/IPs - IPv4
 [[server.listeners]]
 ip = "0.0.0.0"
 # announce_ip = "1.2.3.4" # Optional: Public IP for tg:// links
 # Listen on multiple interfaces/IPs - IPv6
 [[server.listeners]]
 ip = "::"
 # Users to show in the startup log (tg:// links)
 [general.links]
 show = ["hello"] # Users to show in the startup log (tg:// links)
 # public_host = "proxy.example.com"  # Host (IP or domain) for tg:// links
 # public_port = 443                  # Port for tg:// links (default: server.port)
 # === Timeouts (in seconds) ===
 [timeouts]
 client_handshake = 30
@@ -93,11 +96,14 @@ me_one_timeout_ms = 1200
 # === Anti-Censorship & Masking ===
 [censorship]
 tls_domain = "petrovich.ru"
 # tls_domains = ["example.com", "cdn.example.net"] # Additional domains for EE links
 mask = true
 mask_port = 443
 # mask_host = "petrovich.ru" # Defaults to tls_domain if not set
 # mask_unix_sock = "/var/run/nginx.sock" # Unix socket (mutually exclusive with mask_host)
 fake_cert_len = 2048
 # tls_emulation = false        # Fetch real cert lengths and emulate TLS records
 # tls_front_dir = "tlsfront"   # Cache directory for TLS emulation
 # === Access Control & Users ===
 [access]
@@ -118,11 +124,17 @@ hello = "00000000000000000000000000000000"
 # [access.user_data_quota]
 # hello = 1073741824 # 1 GB
 # [access.user_expirations]
 # format: username = "[year]-[month]-[day]T[hour]:[minute]:[second]Z" UTC
 # hello = "2027-01-01T00:00:00Z"
 # === Upstreams & Routing ===
 [[upstreams]]
 type = "direct"
 enabled = true
 weight = 10
 # interface = "192.168.1.100"           # Bind outgoing to specific IP or iface name
 # bind_addresses = ["192.168.1.100"]    # List for round-robin binding (family must match target)
 # [[upstreams]]
 # type = "socks5"
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -213,6 +213,7 @@ listen_addr_ipv6 = "::"
 [[server.listeners]]
 ip = "0.0.0.0"
 # reuse_allow = false # Set true only when intentionally running multiple telemt instances on same port
 [[server.listeners]]
 ip = "::"
@@ -228,6 +229,7 @@ tls_domain = "{domain}"
 mask = true
 mask_port = 443
 fake_cert_len = 2048
 tls_full_cert_ttl_secs = 90
 [access]
 replay_check_len = 65536
--- a/src/config/defaults.rs
+++ b/src/config/defaults.rs
@@ -1,5 +1,6 @@
 use std::net::IpAddr;
 use std::collections::HashMap;
 use ipnetwork::IpNetwork;
 use serde::Deserialize;
 // Helper defaults kept private to the config module.
@@ -23,6 +24,10 @@ pub(crate) fn default_fake_cert_len() -> usize {
    2048
 }
 pub(crate) fn default_tls_front_dir() -> String {
    "tlsfront".to_string()
 }
 pub(crate) fn default_replay_check_len() -> usize {
    65_536
 }
@@ -62,8 +67,11 @@ pub(crate) fn default_weight() -> u16 {
    1
 }
-pub(crate) fn default_metrics_whitelist() -> Vec<IpAddr> {
+pub(crate) fn default_metrics_whitelist() -> Vec<IpNetwork> {
-    vec!["127.0.0.1".parse().unwrap(), "::1".parse().unwrap()]
+    vec![
        "127.0.0.1/32".parse().unwrap(),
        "::1/128".parse().unwrap(),
    ]
 }
 pub(crate) fn default_prefer_4() -> u8 {
@@ -102,6 +110,79 @@ pub(crate) fn default_reconnect_backoff_cap_ms() -> u64 {
    30_000
 }
 pub(crate) fn default_crypto_pending_buffer() -> usize {
    256 * 1024
 }
 pub(crate) fn default_max_client_frame() -> usize {
    16 * 1024 * 1024
 }
 pub(crate) fn default_tls_new_session_tickets() -> u8 {
    0
 }
 pub(crate) fn default_tls_full_cert_ttl_secs() -> u64 {
    90
 }
 pub(crate) fn default_server_hello_delay_min_ms() -> u64 {
    0
 }
 pub(crate) fn default_server_hello_delay_max_ms() -> u64 {
    0
 }
 pub(crate) fn default_alpn_enforce() -> bool {
    true
 }
 pub(crate) fn default_stun_servers() -> Vec<String> {
    vec![
        "stun.l.google.com:19302".to_string(),
        "stun1.l.google.com:19302".to_string(),
        "stun2.l.google.com:19302".to_string(),
        "stun.stunprotocol.org:3478".to_string(),
        "stun.voip.eutelia.it:3478".to_string(),
    ]
 }
 pub(crate) fn default_http_ip_detect_urls() -> Vec<String> {
    vec![
        "https://ifconfig.me/ip".to_string(),
        "https://api.ipify.org".to_string(),
    ]
 }
 pub(crate) fn default_cache_public_ip_path() -> String {
    "cache/public_ip.txt".to_string()
 }
 pub(crate) fn default_proxy_secret_reload_secs() -> u64 {
    12 * 60 * 60
 }
 pub(crate) fn default_proxy_config_reload_secs() -> u64 {
    12 * 60 * 60
 }
 pub(crate) fn default_ntp_check() -> bool {
    true
 }
 pub(crate) fn default_ntp_servers() -> Vec<String> {
    vec!["pool.ntp.org".to_string()]
 }
 pub(crate) fn default_fast_mode_min_tls_record() -> usize {
    0
 }
 pub(crate) fn default_degradation_min_unavailable_dc_groups() -> u8 {
    2
 }
 // Custom deserializer helpers
 #[derive(Deserialize)]
--- a/src/config/hot_reload.rs
+++ b/src/config/hot_reload.rs
@@ -0,0 +1,421 @@
 //! Hot-reload: watches the config file via inotify (Linux) / FSEvents (macOS)
 //! / ReadDirectoryChangesW (Windows) using the `notify` crate.
 //! SIGHUP is also supported on Unix as an additional manual trigger.
 //!
 //! # What can be reloaded without restart
 //!
 //! | Section   | Field                         | Effect                            |
 //! |-----------|-------------------------------|-----------------------------------|
 //! | `general` | `log_level`                   | Filter updated via `log_level_tx` |
 //! | `general` | `ad_tag`                      | Passed on next connection         |
 //! | `general` | `middle_proxy_pool_size`      | Passed on next connection         |
 //! | `general` | `me_keepalive_*`              | Passed on next connection         |
 //! | `access`  | All user/quota fields         | Effective immediately             |
 //!
 //! Fields that require re-binding sockets (`server.port`, `censorship.*`,
 //! `network.*`, `use_middle_proxy`) are **not** applied; a warning is emitted.
 use std::net::IpAddr;
 use std::path::PathBuf;
 use std::sync::Arc;
 use notify::{EventKind, RecursiveMode, Watcher, recommended_watcher};
 use tokio::sync::{mpsc, watch};
 use tracing::{error, info, warn};
 use crate::config::LogLevel;
 use super::load::ProxyConfig;
 // ── Hot fields ────────────────────────────────────────────────────────────────
 /// Fields that are safe to swap without restarting listeners.
 #[derive(Debug, Clone, PartialEq)]
 pub struct HotFields {
    pub log_level:               LogLevel,
    pub ad_tag:                  Option<String>,
    pub middle_proxy_pool_size:  usize,
    pub me_keepalive_enabled:    bool,
    pub me_keepalive_interval_secs: u64,
    pub me_keepalive_jitter_secs:   u64,
    pub me_keepalive_payload_random: bool,
    pub access:                  crate::config::AccessConfig,
 }
 impl HotFields {
    pub fn from_config(cfg: &ProxyConfig) -> Self {
        Self {
            log_level:               cfg.general.log_level.clone(),
            ad_tag:                  cfg.general.ad_tag.clone(),
            middle_proxy_pool_size:  cfg.general.middle_proxy_pool_size,
            me_keepalive_enabled:    cfg.general.me_keepalive_enabled,
            me_keepalive_interval_secs: cfg.general.me_keepalive_interval_secs,
            me_keepalive_jitter_secs:   cfg.general.me_keepalive_jitter_secs,
            me_keepalive_payload_random: cfg.general.me_keepalive_payload_random,
            access:                  cfg.access.clone(),
        }
    }
 }
 // ── Helpers ───────────────────────────────────────────────────────────────────
 /// Warn if any non-hot fields changed (require restart).
 fn warn_non_hot_changes(old: &ProxyConfig, new: &ProxyConfig) {
    if old.server.port != new.server.port {
        warn!(
            "config reload: server.port changed ({} → {}); restart required",
            old.server.port, new.server.port
        );
    }
    if old.censorship.tls_domain != new.censorship.tls_domain {
        warn!(
            "config reload: censorship.tls_domain changed ('{}' → '{}'); restart required",
            old.censorship.tls_domain, new.censorship.tls_domain
        );
    }
    if old.network.ipv4 != new.network.ipv4 || old.network.ipv6 != new.network.ipv6 {
        warn!("config reload: network.ipv4/ipv6 changed; restart required");
    }
    if old.general.use_middle_proxy != new.general.use_middle_proxy {
        warn!("config reload: use_middle_proxy changed; restart required");
    }
 }
 /// Resolve the public host for link generation — mirrors the logic in main.rs.
 ///
 /// Priority:
 /// 1. `[general.links] public_host` — explicit override in config
 /// 2. `detected_ip_v4` — from STUN/interface probe at startup
 /// 3. `detected_ip_v6` — fallback
 /// 4. `"UNKNOWN"` — warn the user to set `public_host`
 fn resolve_link_host(
    cfg: &ProxyConfig,
    detected_ip_v4: Option<IpAddr>,
    detected_ip_v6: Option<IpAddr>,
 ) -> String {
    if let Some(ref h) = cfg.general.links.public_host {
        return h.clone();
    }
    detected_ip_v4
        .or(detected_ip_v6)
        .map(|ip| ip.to_string())
        .unwrap_or_else(|| {
            warn!(
                "config reload: could not determine public IP for proxy links. \
                 Set [general.links] public_host in config."
            );
            "UNKNOWN".to_string()
        })
 }
 /// Print TG proxy links for a single user — mirrors print_proxy_links() in main.rs.
 fn print_user_links(user: &str, secret: &str, host: &str, port: u16, cfg: &ProxyConfig) {
    info!(target: "telemt::links", "--- New user: {} ---", user);
    if cfg.general.modes.classic {
        info!(
            target: "telemt::links",
            "  Classic: tg://proxy?server={}&port={}&secret={}",
            host, port, secret
        );
    }
    if cfg.general.modes.secure {
        info!(
            target: "telemt::links",
            "  DD:      tg://proxy?server={}&port={}&secret=dd{}",
            host, port, secret
        );
    }
    if cfg.general.modes.tls {
        let mut domains = vec![cfg.censorship.tls_domain.clone()];
        for d in &cfg.censorship.tls_domains {
            if !domains.contains(d) {
                domains.push(d.clone());
            }
        }
        for domain in &domains {
            let domain_hex = hex::encode(domain.as_bytes());
            info!(
                target: "telemt::links",
                "  EE-TLS:  tg://proxy?server={}&port={}&secret=ee{}{}",
                host, port, secret, domain_hex
            );
        }
    }
    info!(target: "telemt::links", "--------------------");
 }
 /// Log all detected changes and emit TG links for new users.
 fn log_changes(
    old_hot: &HotFields,
    new_hot: &HotFields,
    new_cfg: &ProxyConfig,
    log_tx: &watch::Sender<LogLevel>,
    detected_ip_v4: Option<IpAddr>,
    detected_ip_v6: Option<IpAddr>,
 ) {
    if old_hot.log_level != new_hot.log_level {
        info!(
            "config reload: log_level: '{}' → '{}'",
            old_hot.log_level, new_hot.log_level
        );
        log_tx.send(new_hot.log_level.clone()).ok();
    }
    if old_hot.ad_tag != new_hot.ad_tag {
        info!(
            "config reload: ad_tag: {} → {}",
            old_hot.ad_tag.as_deref().unwrap_or("none"),
            new_hot.ad_tag.as_deref().unwrap_or("none"),
        );
    }
    if old_hot.middle_proxy_pool_size != new_hot.middle_proxy_pool_size {
        info!(
            "config reload: middle_proxy_pool_size: {} → {}",
            old_hot.middle_proxy_pool_size, new_hot.middle_proxy_pool_size,
        );
    }
    if old_hot.me_keepalive_enabled        != new_hot.me_keepalive_enabled
    || old_hot.me_keepalive_interval_secs  != new_hot.me_keepalive_interval_secs
    || old_hot.me_keepalive_jitter_secs    != new_hot.me_keepalive_jitter_secs
    || old_hot.me_keepalive_payload_random != new_hot.me_keepalive_payload_random
    {
        info!(
            "config reload: me_keepalive: enabled={} interval={}s jitter={}s random_payload={}",
            new_hot.me_keepalive_enabled,
            new_hot.me_keepalive_interval_secs,
            new_hot.me_keepalive_jitter_secs,
            new_hot.me_keepalive_payload_random,
        );
    }
    if old_hot.access.users != new_hot.access.users {
        let mut added: Vec<&String> = new_hot.access.users.keys()
            .filter(|u| !old_hot.access.users.contains_key(*u))
            .collect();
        added.sort();
        let mut removed: Vec<&String> = old_hot.access.users.keys()
            .filter(|u| !new_hot.access.users.contains_key(*u))
            .collect();
        removed.sort();
        let mut changed: Vec<&String> = new_hot.access.users.keys()
            .filter(|u| {
                old_hot.access.users.get(*u)
                    .map(|s| s != &new_hot.access.users[*u])
                    .unwrap_or(false)
            })
            .collect();
        changed.sort();
        if !added.is_empty() {
            info!(
                "config reload: users added: [{}]",
                added.iter().map(|s| s.as_str()).collect::<Vec<_>>().join(", ")
            );
            let host = resolve_link_host(new_cfg, detected_ip_v4, detected_ip_v6);
            let port = new_cfg.general.links.public_port.unwrap_or(new_cfg.server.port);
            for user in &added {
                if let Some(secret) = new_hot.access.users.get(*user) {
                    print_user_links(user, secret, &host, port, new_cfg);
                }
            }
        }
        if !removed.is_empty() {
            info!(
                "config reload: users removed: [{}]",
                removed.iter().map(|s| s.as_str()).collect::<Vec<_>>().join(", ")
            );
        }
        if !changed.is_empty() {
            info!(
                "config reload: users secret changed: [{}]",
                changed.iter().map(|s| s.as_str()).collect::<Vec<_>>().join(", ")
            );
        }
    }
    if old_hot.access.user_max_tcp_conns != new_hot.access.user_max_tcp_conns {
        info!(
            "config reload: user_max_tcp_conns updated ({} entries)",
            new_hot.access.user_max_tcp_conns.len()
        );
    }
    if old_hot.access.user_expirations != new_hot.access.user_expirations {
        info!(
            "config reload: user_expirations updated ({} entries)",
            new_hot.access.user_expirations.len()
        );
    }
    if old_hot.access.user_data_quota != new_hot.access.user_data_quota {
        info!(
            "config reload: user_data_quota updated ({} entries)",
            new_hot.access.user_data_quota.len()
        );
    }
    if old_hot.access.user_max_unique_ips != new_hot.access.user_max_unique_ips {
        info!(
            "config reload: user_max_unique_ips updated ({} entries)",
            new_hot.access.user_max_unique_ips.len()
        );
    }
 }
 /// Load config, validate, diff against current, and broadcast if changed.
 fn reload_config(
    config_path: &PathBuf,
    config_tx: &watch::Sender<Arc<ProxyConfig>>,
    log_tx: &watch::Sender<LogLevel>,
    detected_ip_v4: Option<IpAddr>,
    detected_ip_v6: Option<IpAddr>,
 ) {
    let new_cfg = match ProxyConfig::load(config_path) {
        Ok(c) => c,
        Err(e) => {
            error!("config reload: failed to parse {:?}: {}", config_path, e);
            return;
        }
    };
    if let Err(e) = new_cfg.validate() {
        error!("config reload: validation failed: {}; keeping old config", e);
        return;
    }
    let old_cfg = config_tx.borrow().clone();
    let old_hot = HotFields::from_config(&old_cfg);
    let new_hot = HotFields::from_config(&new_cfg);
    if old_hot == new_hot {
        return;
    }
    warn_non_hot_changes(&old_cfg, &new_cfg);
    log_changes(&old_hot, &new_hot, &new_cfg, log_tx, detected_ip_v4, detected_ip_v6);
    config_tx.send(Arc::new(new_cfg)).ok();
 }
 // ── Public API ────────────────────────────────────────────────────────────────
 /// Spawn the hot-reload watcher task.
 ///
 /// Uses `notify` (inotify on Linux) to detect file changes instantly.
 /// SIGHUP is also handled on Unix as an additional manual trigger.
 ///
 /// `detected_ip_v4` / `detected_ip_v6` are the IPs discovered during the
 /// startup probe — used when generating proxy links for newly added users,
 /// matching the same logic as the startup output.
 pub fn spawn_config_watcher(
    config_path: PathBuf,
    initial: Arc<ProxyConfig>,
    detected_ip_v4: Option<IpAddr>,
    detected_ip_v6: Option<IpAddr>,
 ) -> (watch::Receiver<Arc<ProxyConfig>>, watch::Receiver<LogLevel>) {
    let initial_level = initial.general.log_level.clone();
    let (config_tx, config_rx) = watch::channel(initial);
    let (log_tx, log_rx)       = watch::channel(initial_level);
    // Bridge: sync notify callbacks → async task via mpsc.
    let (notify_tx, mut notify_rx) = mpsc::channel::<()>(4);
    // Canonicalize so path matches what notify returns (absolute) in events.
    let config_path = match config_path.canonicalize() {
        Ok(p) => p,
        Err(_) => config_path.to_path_buf(),
    };
    // Watch the parent directory rather than the file itself, because many
    // editors (vim, nano) and systemd write via rename, which would cause
    // inotify to lose track of the original inode.
    let watch_dir = config_path
        .parent()
        .unwrap_or_else(|| std::path::Path::new("."))
        .to_path_buf();
    // ── inotify watcher (instant on local fs) ────────────────────────────
    let config_file = config_path.clone();
    let tx_inotify  = notify_tx.clone();
    let inotify_ok = match recommended_watcher(move |res: notify::Result<notify::Event>| {
        let Ok(event) = res else { return };
        let is_our_file = event.paths.iter().any(|p| p == &config_file);
        if !is_our_file { return; }
        if matches!(event.kind, EventKind::Modify(_) | EventKind::Create(_) | EventKind::Remove(_)) {
            let _ = tx_inotify.try_send(());
        }
    }) {
        Ok(mut w) => match w.watch(&watch_dir, RecursiveMode::NonRecursive) {
            Ok(()) => {
                info!("config watcher: inotify active on {:?}", config_path);
                Box::leak(Box::new(w));
                true
            }
            Err(e) => { warn!("config watcher: inotify watch failed: {}", e); false }
        },
        Err(e) => { warn!("config watcher: inotify unavailable: {}", e); false }
    };
    // ── poll watcher (always active, fixes Docker bind mounts / NFS) ─────
    // inotify does not receive events for files mounted from the host into
    // a container. PollWatcher compares file contents every 3 s and fires
    // on any change regardless of the underlying fs.
    let config_file2 = config_path.clone();
    let tx_poll      = notify_tx.clone();
    match notify::poll::PollWatcher::new(
        move |res: notify::Result<notify::Event>| {
            let Ok(event) = res else { return };
            let is_our_file = event.paths.iter().any(|p| p == &config_file2);
            if !is_our_file { return; }
            if matches!(event.kind, EventKind::Modify(_) | EventKind::Create(_) | EventKind::Remove(_)) {
                let _ = tx_poll.try_send(());
            }
        },
        notify::Config::default()
            .with_poll_interval(std::time::Duration::from_secs(3))
            .with_compare_contents(true),
    ) {
        Ok(mut w) => match w.watch(&config_path, RecursiveMode::NonRecursive) {
            Ok(()) => {
                if inotify_ok {
                    info!("config watcher: poll watcher also active (Docker/NFS safe)");
                } else {
                    info!("config watcher: poll watcher active on {:?} (3s interval)", config_path);
                }
                Box::leak(Box::new(w));
            }
            Err(e) => warn!("config watcher: poll watch failed: {}", e),
        },
        Err(e) => warn!("config watcher: poll watcher unavailable: {}", e),
    }
    // ── event loop ───────────────────────────────────────────────────────
    tokio::spawn(async move {
        #[cfg(unix)]
        let mut sighup = {
            use tokio::signal::unix::{SignalKind, signal};
            signal(SignalKind::hangup()).expect("Failed to register SIGHUP handler")
        };
        loop {
            #[cfg(unix)]
            tokio::select! {
                msg = notify_rx.recv() => {
                    if msg.is_none() { break; }
                }
                _ = sighup.recv() => {
                    info!("SIGHUP received — reloading {:?}", config_path);
                }
            }
            #[cfg(not(unix))]
            if notify_rx.recv().await.is_none() { break; }
            // Debounce: drain extra events that arrive within 50 ms.
            tokio::time::sleep(std::time::Duration::from_millis(50)).await;
            while notify_rx.try_recv().is_ok() {}
            reload_config(&config_path, &config_tx, &log_tx, detected_ip_v4, detected_ip_v6);
        }
    });
    (config_rx, log_rx)
 }
--- a/src/config/load.rs
+++ b/src/config/load.rs
@@ -163,6 +163,21 @@ impl ProxyConfig {
            config.censorship.mask_host = Some(config.censorship.tls_domain.clone());
        }
        // Merge primary + extra TLS domains, deduplicate (primary always first).
        if !config.censorship.tls_domains.is_empty() {
            let mut all = Vec::with_capacity(1 + config.censorship.tls_domains.len());
            all.push(config.censorship.tls_domain.clone());
            for d in std::mem::take(&mut config.censorship.tls_domains) {
                if !d.is_empty() && !all.contains(&d) {
                    all.push(d);
                }
            }
            // keep primary as tls_domain; store remaining back to tls_domains
            if all.len() > 1 {
                config.censorship.tls_domains = all[1..].to_vec();
            }
        }
        // Migration: prefer_ipv6 -> network.prefer.
        if config.general.prefer_ipv6 {
            if config.network.prefer == 4 {
@@ -179,8 +194,12 @@ impl ProxyConfig {
        validate_network_cfg(&mut config.network)?;
        if config.general.use_middle_proxy && config.network.ipv6 == Some(true) {
            warn!("IPv6 with Middle Proxy is experimental and may cause KDF address mismatch; consider disabling IPv6 or ME");
        }
        // Random fake_cert_len only when default is in use.
-        if config.censorship.fake_cert_len == default_fake_cert_len() {
+        if !config.censorship.tls_emulation && config.censorship.fake_cert_len == default_fake_cert_len() {
            config.censorship.fake_cert_len = rand::rng().gen_range(1024..4096);
        }
@@ -207,6 +226,8 @@ impl ProxyConfig {
                    ip: ipv4,
                    announce: None,
                    announce_ip: None,
                    proxy_protocol: None,
                    reuse_allow: false,
                });
            }
            if let Some(ipv6_str) = &config.server.listen_addr_ipv6 {
@@ -215,6 +236,8 @@ impl ProxyConfig {
                        ip: ipv6,
                        announce: None,
                        announce_ip: None,
                        proxy_protocol: None,
                        reuse_allow: false,
                    });
                }
            }
@@ -235,7 +258,7 @@ impl ProxyConfig {
        // Migration: Populate upstreams if empty (Default Direct).
        if config.upstreams.is_empty() {
            config.upstreams.push(UpstreamConfig {
-                upstream_type: UpstreamType::Direct { interface: None },
+                upstream_type: UpstreamType::Direct { interface: None, bind_addresses: None },
                weight: 1,
                enabled: true,
                scopes: String::new(),
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -3,6 +3,7 @@
 pub(crate) mod defaults;
 mod types;
 mod load;
 pub mod hot_reload;
 pub use load::ProxyConfig;
 pub use types::*;
--- a/src/config/types.rs
+++ b/src/config/types.rs
@@ -1,4 +1,5 @@
 use chrono::{DateTime, Utc};
 use ipnetwork::IpNetwork;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::net::IpAddr;
@@ -73,8 +74,8 @@ pub struct ProxyModes {
 impl Default for ProxyModes {
    fn default() -> Self {
        Self {
-            classic: true,
+            classic: false,
-            secure: true,
+            secure: false,
            tls: true,
        }
    }
@@ -95,15 +96,35 @@ pub struct NetworkConfig {
    #[serde(default)]
    pub multipath: bool,
    /// STUN servers list for public IP discovery.
    #[serde(default = "default_stun_servers")]
    pub stun_servers: Vec<String>,
    /// Enable TCP STUN fallback when UDP is blocked.
    #[serde(default)]
    pub stun_tcp_fallback: bool,
    /// HTTP-based public IP detection endpoints (fallback after STUN).
    #[serde(default = "default_http_ip_detect_urls")]
    pub http_ip_detect_urls: Vec<String>,
    /// Cache file path for detected public IP.
    #[serde(default = "default_cache_public_ip_path")]
    pub cache_public_ip_path: String,
 }
 impl Default for NetworkConfig {
    fn default() -> Self {
        Self {
            ipv4: true,
-            ipv6: None,
+            ipv6: Some(false),
            prefer: 4,
            multipath: false,
            stun_servers: default_stun_servers(),
            stun_tcp_fallback: true,
            http_ip_detect_urls: default_http_ip_detect_urls(),
            cache_public_ip_path: default_cache_public_ip_path(),
        }
    }
 }
@@ -171,6 +192,15 @@ pub struct GeneralConfig {
    #[serde(default = "default_true")]
    pub me_keepalive_payload_random: bool,
    /// Max pending ciphertext buffer per client writer (bytes).
    /// Controls FakeTLS backpressure vs throughput.
    #[serde(default = "default_crypto_pending_buffer")]
    pub crypto_pending_buffer: usize,
    /// Maximum allowed client MTProto frame size (bytes).
    #[serde(default = "default_max_client_frame")]
    pub max_client_frame: usize,
    /// Enable staggered warmup of extra ME writers.
    #[serde(default = "default_true")]
    pub me_warmup_stagger_enabled: bool,
@@ -217,6 +247,34 @@ pub struct GeneralConfig {
    /// [general.links] — proxy link generation overrides.
    #[serde(default)]
    pub links: LinksConfig,
    /// Minimum TLS record size when fast_mode coalescing is enabled (0 = disabled).
    #[serde(default = "default_fast_mode_min_tls_record")]
    pub fast_mode_min_tls_record: usize,
    /// Automatically reload proxy-secret every N seconds.
    #[serde(default = "default_proxy_secret_reload_secs")]
    pub proxy_secret_auto_reload_secs: u64,
    /// Automatically reload proxy-multi.conf every N seconds.
    #[serde(default = "default_proxy_config_reload_secs")]
    pub proxy_config_auto_reload_secs: u64,
    /// Enable NTP drift check at startup.
    #[serde(default = "default_ntp_check")]
    pub ntp_check: bool,
    /// NTP servers for drift check.
    #[serde(default = "default_ntp_servers")]
    pub ntp_servers: Vec<String>,
    /// Enable auto-degradation from ME to Direct-DC.
    #[serde(default = "default_true")]
    pub auto_degradation_enabled: bool,
    /// Minimum unavailable ME DC groups before degrading.
    #[serde(default = "default_degradation_min_unavailable_dc_groups")]
    pub degradation_min_unavailable_dc_groups: u8,
 }
 impl Default for GeneralConfig {
@@ -233,7 +291,7 @@ impl Default for GeneralConfig {
            middle_proxy_nat_stun: None,
            middle_proxy_nat_stun_servers: Vec::new(),
            middle_proxy_pool_size: default_pool_size(),
-            middle_proxy_warm_standby: 0,
+            middle_proxy_warm_standby: 8,
            me_keepalive_enabled: true,
            me_keepalive_interval_secs: default_keepalive_interval(),
            me_keepalive_jitter_secs: default_keepalive_jitter(),
@@ -241,15 +299,24 @@ impl Default for GeneralConfig {
            me_warmup_stagger_enabled: true,
            me_warmup_step_delay_ms: default_warmup_step_delay_ms(),
            me_warmup_step_jitter_ms: default_warmup_step_jitter_ms(),
-            me_reconnect_max_concurrent_per_dc: 1,
+            me_reconnect_max_concurrent_per_dc: 4,
            me_reconnect_backoff_base_ms: default_reconnect_backoff_base_ms(),
            me_reconnect_backoff_cap_ms: default_reconnect_backoff_cap_ms(),
-            me_reconnect_fast_retry_count: 1,
+            me_reconnect_fast_retry_count: 8,
            stun_iface_mismatch_ignore: false,
            unknown_dc_log_path: default_unknown_dc_log_path(),
            log_level: LogLevel::Normal,
            disable_colors: false,
            links: LinksConfig::default(),
            crypto_pending_buffer: default_crypto_pending_buffer(),
            max_client_frame: default_max_client_frame(),
            fast_mode_min_tls_record: default_fast_mode_min_tls_record(),
            proxy_secret_auto_reload_secs: default_proxy_secret_reload_secs(),
            proxy_config_auto_reload_secs: default_proxy_config_reload_secs(),
            ntp_check: default_ntp_check(),
            ntp_servers: default_ntp_servers(),
            auto_degradation_enabled: true,
            degradation_min_unavailable_dc_groups: default_degradation_min_unavailable_dc_groups(),
        }
    }
 }
@@ -295,11 +362,16 @@ pub struct ServerConfig {
    #[serde(default)]
    pub listen_tcp: Option<bool>,
    /// Accept HAProxy PROXY protocol headers on incoming connections.
    /// When enabled, real client IPs are extracted from PROXY v1/v2 headers.
    #[serde(default)]
    pub proxy_protocol: bool,
    #[serde(default)]
    pub metrics_port: Option<u16>,
    #[serde(default = "default_metrics_whitelist")]
-    pub metrics_whitelist: Vec<IpAddr>,
+    pub metrics_whitelist: Vec<IpNetwork>,
    #[serde(default)]
    pub listeners: Vec<ListenerConfig>,
@@ -314,6 +386,7 @@ impl Default for ServerConfig {
            listen_unix_sock: None,
            listen_unix_sock_perm: None,
            listen_tcp: None,
            proxy_protocol: false,
            metrics_port: None,
            metrics_whitelist: default_metrics_whitelist(),
            listeners: Vec::new(),
@@ -362,6 +435,10 @@ pub struct AntiCensorshipConfig {
    #[serde(default = "default_tls_domain")]
    pub tls_domain: String,
    /// Additional TLS domains for generating multiple proxy links.
    #[serde(default)]
    pub tls_domains: Vec<String>,
    #[serde(default = "default_true")]
    pub mask: bool,
@@ -376,22 +453,60 @@ pub struct AntiCensorshipConfig {
    #[serde(default = "default_fake_cert_len")]
    pub fake_cert_len: usize,
    /// Enable TLS certificate emulation using cached real certificates.
    #[serde(default)]
    pub tls_emulation: bool,
    /// Directory to store TLS front cache (on disk).
    #[serde(default = "default_tls_front_dir")]
    pub tls_front_dir: String,
    /// Minimum server_hello delay in milliseconds (anti-fingerprint).
    #[serde(default = "default_server_hello_delay_min_ms")]
    pub server_hello_delay_min_ms: u64,
    /// Maximum server_hello delay in milliseconds.
    #[serde(default = "default_server_hello_delay_max_ms")]
    pub server_hello_delay_max_ms: u64,
    /// Number of NewSessionTicket messages to emit post-handshake.
    #[serde(default = "default_tls_new_session_tickets")]
    pub tls_new_session_tickets: u8,
    /// TTL in seconds for sending full certificate payload per client IP.
    /// First client connection per (SNI domain, client IP) gets full cert payload.
    /// Subsequent handshakes within TTL use compact cert metadata payload.
    #[serde(default = "default_tls_full_cert_ttl_secs")]
    pub tls_full_cert_ttl_secs: u64,
    /// Enforce ALPN echo of client preference.
    #[serde(default = "default_alpn_enforce")]
    pub alpn_enforce: bool,
 }
 impl Default for AntiCensorshipConfig {
    fn default() -> Self {
        Self {
            tls_domain: default_tls_domain(),
            tls_domains: Vec::new(),
            mask: true,
            mask_host: None,
            mask_port: default_mask_port(),
            mask_unix_sock: None,
            fake_cert_len: default_fake_cert_len(),
            tls_emulation: false,
            tls_front_dir: default_tls_front_dir(),
            server_hello_delay_min_ms: default_server_hello_delay_min_ms(),
            server_hello_delay_max_ms: default_server_hello_delay_max_ms(),
            tls_new_session_tickets: default_tls_new_session_tickets(),
            tls_full_cert_ttl_secs: default_tls_full_cert_ttl_secs(),
            alpn_enforce: default_alpn_enforce(),
        }
    }
 }
-#[derive(Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
 pub struct AccessConfig {
    #[serde(default)]
    pub users: HashMap<String, String>,
@@ -446,6 +561,8 @@ pub enum UpstreamType {
    Direct {
        #[serde(default)]
        interface: Option<String>,
        #[serde(default)]
        bind_addresses: Option<Vec<String>>,
    },
    Socks4 {
        address: String,
@@ -490,6 +607,13 @@ pub struct ListenerConfig {
    /// Migrated to `announce` automatically if `announce` is not set.
    #[serde(default)]
    pub announce_ip: Option<IpAddr>,
    /// Per-listener PROXY protocol override. When set, overrides global server.proxy_protocol.
    #[serde(default)]
    pub proxy_protocol: Option<bool>,
    /// Allow multiple telemt instances to listen on the same IP:port (SO_REUSEPORT).
    /// Default is false for safety.
    #[serde(default)]
    pub reuse_allow: bool,
 }
 // ============= ShowLink =============
--- a/src/crypto/hash.rs
+++ b/src/crypto/hash.rs
@@ -55,6 +55,11 @@ pub fn crc32(data: &[u8]) -> u32 {
    crc32fast::hash(data)
 }
 /// CRC32C (Castagnoli)
 pub fn crc32c(data: &[u8]) -> u32 {
    crc32c::crc32c(data)
 }
 /// Build the exact prekey buffer used by Telegram Middle Proxy KDF.
 ///
 /// Returned buffer layout (IPv4):
--- a/src/crypto/mod.rs
+++ b/src/crypto/mod.rs
@@ -5,5 +5,8 @@ pub mod hash;
 pub mod random;
 pub use aes::{AesCtr, AesCbc};
-pub use hash::{sha256, sha256_hmac, sha1, md5, crc32, derive_middleproxy_keys, build_middleproxy_prekey};
+pub use hash::{
    build_middleproxy_prekey, crc32, crc32c, derive_middleproxy_keys, md5, sha1, sha256,
    sha256_hmac,
 };
 pub use random::SecureRandom;
--- a/src/crypto/random.rs
+++ b/src/crypto/random.rs
@@ -49,19 +49,32 @@ impl SecureRandom {
        }
    }
-    /// Generate random bytes
+    /// Fill a caller-provided buffer with random bytes.
-    pub fn bytes(&self, len: usize) -> Vec<u8> {
+    pub fn fill(&self, out: &mut [u8]) {
        let mut inner = self.inner.lock();
        const CHUNK_SIZE: usize = 512;
-        
+
-        while inner.buffer.len() < len {
+        let mut written = 0usize;
-            let mut chunk = vec![0u8; CHUNK_SIZE];
+        while written < out.len() {
-            inner.rng.fill_bytes(&mut chunk);
+            if inner.buffer.is_empty() {
-            inner.cipher.apply(&mut chunk);
+                let mut chunk = vec![0u8; CHUNK_SIZE];
-            inner.buffer.extend_from_slice(&chunk);
+                inner.rng.fill_bytes(&mut chunk);
                inner.cipher.apply(&mut chunk);
                inner.buffer.extend_from_slice(&chunk);
            }
            let take = (out.len() - written).min(inner.buffer.len());
            out[written..written + take].copy_from_slice(&inner.buffer[..take]);
            inner.buffer.drain(..take);
            written += take;
        }
-        
+    }
-        inner.buffer.drain(..len).collect()
+
    /// Generate random bytes
    pub fn bytes(&self, len: usize) -> Vec<u8> {
        let mut out = vec![0u8; len];
        self.fill(&mut out);
        out
    }
    /// Generate random number in range [0, max)
--- a/src/main.rs
+++ b/src/main.rs
@@ -3,6 +3,7 @@
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::time::Duration;
 use rand::Rng;
 use tokio::net::TcpListener;
 use tokio::signal;
 use tokio::sync::Semaphore;
@@ -23,9 +24,11 @@ mod proxy;
 mod stats;
 mod stream;
 mod transport;
 mod tls_front;
 mod util;
 use crate::config::{LogLevel, ProxyConfig};
 use crate::config::hot_reload::spawn_config_watcher;
 use crate::crypto::SecureRandom;
 use crate::ip_tracker::UserIpTracker;
 use crate::network::probe::{decide_network_capabilities, log_probe_result, run_probe};
@@ -35,7 +38,8 @@ use crate::stream::BufferPool;
 use crate::transport::middle_proxy::{
    MePool, fetch_proxy_config, run_me_ping, MePingFamily, MePingSample, format_sample_line,
 };
-use crate::transport::{ListenOptions, UpstreamManager, create_listener};
+use crate::transport::{ListenOptions, UpstreamManager, create_listener, find_listener_processes};
 use crate::tls_front::TlsFrontCache;
 fn parse_cli() -> (String, bool, Option<String>) {
    let mut config_path = "config.toml".to_string();
@@ -129,12 +133,22 @@ fn print_proxy_links(host: &str, port: u16, config: &ProxyConfig) {
                );
            }
            if config.general.modes.tls {
-                let domain_hex = hex::encode(&config.censorship.tls_domain);
+                let mut domains = Vec::with_capacity(1 + config.censorship.tls_domains.len());
-                info!(
+                domains.push(config.censorship.tls_domain.clone());
-                    target: "telemt::links",
+                for d in &config.censorship.tls_domains {
-                    "  EE-TLS:  tg://proxy?server={}&port={}&secret=ee{}{}",
+                    if !domains.contains(d) {
-                    host, port, secret, domain_hex
+                        domains.push(d.clone());
-                );
+                    }
                }
                for domain in domains {
                    let domain_hex = hex::encode(&domain);
                    info!(
                        target: "telemt::links",
                        "  EE-TLS:  tg://proxy?server={}&port={}&secret=ee{}{}",
                        host, port, secret, domain_hex
                    );
                }
            }
        } else {
            warn!(target: "telemt::links", "User '{}' in show_link not found", user_name);
@@ -199,6 +213,9 @@ async fn main() -> std::result::Result<(), Box<dyn std::error::Error>> {
        "Modes: classic={} secure={} tls={}",
        config.general.modes.classic, config.general.modes.secure, config.general.modes.tls
    );
    if config.general.modes.classic {
        warn!("Classic mode is vulnerable to DPI detection; enable only for legacy clients");
    }
    info!("TLS domain: {}", config.censorship.tls_domain);
    if let Some(ref sock) = config.censorship.mask_unix_sock {
        info!("Mask: {} -> unix:{}", config.censorship.mask, sock);
@@ -248,7 +265,7 @@ async fn main() -> std::result::Result<(), Box<dyn std::error::Error>> {
    }
    // Connection concurrency limit
-    let _max_connections = Arc::new(Semaphore::new(10_000));
+    let max_connections = Arc::new(Semaphore::new(10_000));
    if use_middle_proxy && !decision.ipv4_me && !decision.ipv6_me {
        warn!("No usable IP family for Middle Proxy detected; falling back to direct DC");
@@ -425,6 +442,74 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
    let upstream_manager = Arc::new(UpstreamManager::new(config.upstreams.clone()));
    let buffer_pool = Arc::new(BufferPool::with_config(16 * 1024, 4096));
    // TLS front cache (optional emulation)
    let mut tls_domains = Vec::with_capacity(1 + config.censorship.tls_domains.len());
    tls_domains.push(config.censorship.tls_domain.clone());
    for d in &config.censorship.tls_domains {
        if !tls_domains.contains(d) {
            tls_domains.push(d.clone());
        }
    }
    let tls_cache: Option<Arc<TlsFrontCache>> = if config.censorship.tls_emulation {
        let cache = Arc::new(TlsFrontCache::new(
            &tls_domains,
            config.censorship.fake_cert_len,
            &config.censorship.tls_front_dir,
        ));
        cache.load_from_disk().await;
        let port = config.censorship.mask_port;
        let mask_host = config.censorship.mask_host.clone()
            .unwrap_or_else(|| config.censorship.tls_domain.clone());
        // Initial synchronous fetch to warm cache before serving clients.
        for domain in tls_domains.clone() {
            match crate::tls_front::fetcher::fetch_real_tls(
                &mask_host,
                port,
                &domain,
                Duration::from_secs(5),
                Some(upstream_manager.clone()),
            )
            .await
            {
                Ok(res) => cache.update_from_fetch(&domain, res).await,
                Err(e) => warn!(domain = %domain, error = %e, "TLS emulation fetch failed"),
            }
        }
        // Periodic refresh with jitter.
        let cache_clone = cache.clone();
        let domains = tls_domains.clone();
        let upstream_for_task = upstream_manager.clone();
        tokio::spawn(async move {
            loop {
                let base_secs = rand::rng().random_range(4 * 3600..=6 * 3600);
                let jitter_secs = rand::rng().random_range(0..=7200);
                tokio::time::sleep(Duration::from_secs(base_secs + jitter_secs)).await;
                for domain in &domains {
                    match crate::tls_front::fetcher::fetch_real_tls(
                        &mask_host,
                        port,
                        domain,
                        Duration::from_secs(5),
                        Some(upstream_for_task.clone()),
                    )
                    .await
                    {
                        Ok(res) => cache_clone.update_from_fetch(domain, res).await,
                        Err(e) => warn!(domain = %domain, error = %e, "TLS emulation refresh failed"),
                    }
                }
            }
        });
        Some(cache)
    } else {
        None
    };
    // Middle-End ping before DC connectivity
    if let Some(ref pool) = me_pool {
        let me_results = run_me_ping(pool, &rng).await;
@@ -604,6 +689,19 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
        detected_ip_v4, detected_ip_v6
    );
    // ── Hot-reload watcher ────────────────────────────────────────────────
    // Uses inotify to detect file changes instantly (SIGHUP also works).
    // detected_ip_v4/v6 are passed so newly added users get correct TG links.
    let (config_rx, mut log_level_rx): (
        tokio::sync::watch::Receiver<Arc<ProxyConfig>>,
        tokio::sync::watch::Receiver<LogLevel>,
    ) = spawn_config_watcher(
        std::path::PathBuf::from(&config_path),
        config.clone(),
        detected_ip_v4,
        detected_ip_v6,
    );
    let mut listeners = Vec::new();
    for listener_conf in &config.server.listeners {
@@ -617,6 +715,7 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
            continue;
        }
        let options = ListenOptions {
            reuse_port: listener_conf.reuse_allow,
            ipv6_only: listener_conf.ip.is_ipv6(),
            ..Default::default()
        };
@@ -625,6 +724,8 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
            Ok(socket) => {
                let listener = TcpListener::from_std(socket.into())?;
                info!("Listening on {}", addr);
                let listener_proxy_protocol =
                    listener_conf.proxy_protocol.unwrap_or(config.server.proxy_protocol);
                // Resolve the public host for link generation
                let public_host = if let Some(ref announce) = listener_conf.announce {
@@ -650,10 +751,36 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
                    print_proxy_links(&public_host, link_port, &config);
                }
-                listeners.push(listener);
+                listeners.push((listener, listener_proxy_protocol));
            }
            Err(e) => {
-                error!("Failed to bind to {}: {}", addr, e);
+                if e.kind() == std::io::ErrorKind::AddrInUse {
                    let owners = find_listener_processes(addr);
                    if owners.is_empty() {
                        error!(
                            %addr,
                            "Failed to bind: address already in use (owner process unresolved)"
                        );
                    } else {
                        for owner in owners {
                            error!(
                                %addr,
                                pid = owner.pid,
                                process = %owner.process,
                                "Failed to bind: address already in use"
                            );
                        }
                    }
                    if !listener_conf.reuse_allow {
                        error!(
                            %addr,
                            "reuse_allow=false; set [[server.listeners]].reuse_allow=true to allow multi-instance listening"
                        );
                    }
                } else {
                    error!("Failed to bind to {}: {}", addr, e);
                }
            }
        }
    }
@@ -708,14 +835,16 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
        has_unix_listener = true;
-        let config = config.clone();
+        let mut config_rx_unix: tokio::sync::watch::Receiver<Arc<ProxyConfig>> = config_rx.clone();
        let stats = stats.clone();
        let upstream_manager = upstream_manager.clone();
        let replay_checker = replay_checker.clone();
        let buffer_pool = buffer_pool.clone();
        let rng = rng.clone();
        let me_pool = me_pool.clone();
        let tls_cache = tls_cache.clone();
        let ip_tracker = ip_tracker.clone();
        let max_connections_unix = max_connections.clone();
        tokio::spawn(async move {
            let unix_conn_counter = std::sync::Arc::new(std::sync::atomic::AtomicU64::new(1));
@@ -723,23 +852,33 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
            loop {
                match unix_listener.accept().await {
                    Ok((stream, _)) => {
                        let permit = match max_connections_unix.clone().acquire_owned().await {
                            Ok(permit) => permit,
                            Err(_) => {
                                error!("Connection limiter is closed");
                                break;
                            }
                        };
                        let conn_id = unix_conn_counter.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
                        let fake_peer = SocketAddr::from(([127, 0, 0, 1], (conn_id % 65535) as u16));
-                        let config = config.clone();
+                        let config = config_rx_unix.borrow_and_update().clone();
                        let stats = stats.clone();
                        let upstream_manager = upstream_manager.clone();
                        let replay_checker = replay_checker.clone();
                        let buffer_pool = buffer_pool.clone();
                        let rng = rng.clone();
                        let me_pool = me_pool.clone();
                        let tls_cache = tls_cache.clone();
                        let ip_tracker = ip_tracker.clone();
                        let proxy_protocol_enabled = config.server.proxy_protocol;
                        tokio::spawn(async move {
                            let _permit = permit;
                            if let Err(e) = crate::proxy::client::handle_client_stream(
                                stream, fake_peer, config, stats,
                                upstream_manager, replay_checker, buffer_pool, rng,
-                                me_pool, ip_tracker,
+                                me_pool, tls_cache, ip_tracker, proxy_protocol_enabled,
                            ).await {
                                debug!(error = %e, "Unix socket connection error");
                            }
@@ -771,6 +910,20 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
        .reload(runtime_filter)
        .expect("Failed to switch log filter");
    // Apply log_level changes from hot-reload to the tracing filter.
    tokio::spawn(async move {
        loop {
            if log_level_rx.changed().await.is_err() {
                break;
            }
            let level = log_level_rx.borrow_and_update().clone();
            let new_filter = tracing_subscriber::EnvFilter::new(level.to_filter_str());
            if let Err(e) = filter_handle.reload(new_filter) {
                tracing::error!("config reload: failed to update log filter: {}", e);
            }
        }
    });
    if let Some(port) = config.server.metrics_port {
        let stats = stats.clone();
        let whitelist = config.server.metrics_whitelist.clone();
@@ -779,30 +932,42 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
        });
    }
-    for listener in listeners {
+    for (listener, listener_proxy_protocol) in listeners {
-        let config = config.clone();
+        let mut config_rx: tokio::sync::watch::Receiver<Arc<ProxyConfig>> = config_rx.clone();
        let stats = stats.clone();
        let upstream_manager = upstream_manager.clone();
        let replay_checker = replay_checker.clone();
        let buffer_pool = buffer_pool.clone();
        let rng = rng.clone();
        let me_pool = me_pool.clone();
        let tls_cache = tls_cache.clone();
        let ip_tracker = ip_tracker.clone();
        let max_connections_tcp = max_connections.clone();
        tokio::spawn(async move {
            loop {
                match listener.accept().await {
                    Ok((stream, peer_addr)) => {
-                        let config = config.clone();
+                        let permit = match max_connections_tcp.clone().acquire_owned().await {
                            Ok(permit) => permit,
                            Err(_) => {
                                error!("Connection limiter is closed");
                                break;
                            }
                        };
                        let config = config_rx.borrow_and_update().clone();
                        let stats = stats.clone();
                        let upstream_manager = upstream_manager.clone();
                        let replay_checker = replay_checker.clone();
                        let buffer_pool = buffer_pool.clone();
                        let rng = rng.clone();
                        let me_pool = me_pool.clone();
                        let tls_cache = tls_cache.clone();
                        let ip_tracker = ip_tracker.clone();
                        let proxy_protocol_enabled = listener_proxy_protocol;
                        tokio::spawn(async move {
                            let _permit = permit;
                            if let Err(e) = ClientHandler::new(
                                stream,
                                peer_addr,
@@ -813,12 +978,47 @@ match crate::transport::middle_proxy::fetch_proxy_secret(proxy_secret_path).awai
                                buffer_pool,
                                rng,
                                me_pool,
                                tls_cache,
                                ip_tracker,
                                proxy_protocol_enabled,
                            )
                            .run()
                            .await
                            {
-                                debug!(peer = %peer_addr, error = %e, "Connection error");
+                                let peer_closed = matches!(
                                    &e,
                                    crate::error::ProxyError::Io(ioe)
                                        if matches!(
                                            ioe.kind(),
                                            std::io::ErrorKind::ConnectionReset
                                                | std::io::ErrorKind::ConnectionAborted
                                                | std::io::ErrorKind::BrokenPipe
                                                | std::io::ErrorKind::NotConnected
                                        )
                                ) || matches!(
                                    &e,
                                    crate::error::ProxyError::Stream(
                                        crate::error::StreamError::Io(ioe)
                                    )
                                        if matches!(
                                            ioe.kind(),
                                            std::io::ErrorKind::ConnectionReset
                                                | std::io::ErrorKind::ConnectionAborted
                                                | std::io::ErrorKind::BrokenPipe
                                                | std::io::ErrorKind::NotConnected
                                        )
                                );
                                let me_closed = matches!(
                                    &e,
                                    crate::error::ProxyError::Proxy(msg) if msg == "ME connection lost"
                                );
                                match (peer_closed, me_closed) {
                                    (true, _) => debug!(peer = %peer_addr, error = %e, "Connection closed by client"),
                                    (_, true) => warn!(peer = %peer_addr, error = %e, "Connection closed: Middle-End dropped session"),
                                    _ => warn!(peer = %peer_addr, error = %e, "Connection closed with error"),
                                }
                            }
                        });
                    }
--- a/src/metrics.rs
+++ b/src/metrics.rs
@@ -1,18 +1,19 @@
 use std::convert::Infallible;
-use std::net::{IpAddr, SocketAddr};
+use std::net::SocketAddr;
 use std::sync::Arc;
-use http_body_util::Full;
+use http_body_util::{Full, BodyExt};
 use hyper::body::Bytes;
 use hyper::server::conn::http1;
 use hyper::service::service_fn;
 use hyper::{Request, Response, StatusCode};
 use ipnetwork::IpNetwork;
 use tokio::net::TcpListener;
 use tracing::{info, warn, debug};
 use crate::stats::Stats;
-pub async fn serve(port: u16, stats: Arc<Stats>, whitelist: Vec<IpAddr>) {
+pub async fn serve(port: u16, stats: Arc<Stats>, whitelist: Vec<IpNetwork>) {
    let addr = SocketAddr::from(([0, 0, 0, 0], port));
    let listener = match TcpListener::bind(addr).await {
        Ok(l) => l,
@@ -32,7 +33,7 @@ pub async fn serve(port: u16, stats: Arc<Stats>, whitelist: Vec<IpAddr>) {
            }
        };
-        if !whitelist.is_empty() && !whitelist.contains(&peer.ip()) {
+        if !whitelist.is_empty() && !whitelist.iter().any(|net| net.contains(peer.ip())) {
            debug!(peer = %peer, "Metrics request denied by whitelist");
            continue;
        }
@@ -53,7 +54,7 @@ pub async fn serve(port: u16, stats: Arc<Stats>, whitelist: Vec<IpAddr>) {
    }
 }
-fn handle(req: Request<hyper::body::Incoming>, stats: &Stats) -> Result<Response<Full<Bytes>>, Infallible> {
+fn handle<B>(req: Request<B>, stats: &Stats) -> Result<Response<Full<Bytes>>, Infallible> {
    if req.uri().path() != "/metrics" {
        let resp = Response::builder()
            .status(StatusCode::NOT_FOUND)
@@ -99,6 +100,14 @@ fn render_metrics(stats: &Stats) -> String {
    let _ = writeln!(out, "# TYPE telemt_me_keepalive_failed_total counter");
    let _ = writeln!(out, "telemt_me_keepalive_failed_total {}", stats.get_me_keepalive_failed());
    let _ = writeln!(out, "# HELP telemt_me_keepalive_pong_total ME keepalive pong replies");
    let _ = writeln!(out, "# TYPE telemt_me_keepalive_pong_total counter");
    let _ = writeln!(out, "telemt_me_keepalive_pong_total {}", stats.get_me_keepalive_pong());
    let _ = writeln!(out, "# HELP telemt_me_keepalive_timeout_total ME keepalive ping timeouts");
    let _ = writeln!(out, "# TYPE telemt_me_keepalive_timeout_total counter");
    let _ = writeln!(out, "telemt_me_keepalive_timeout_total {}", stats.get_me_keepalive_timeout());
    let _ = writeln!(out, "# HELP telemt_me_reconnect_attempts_total ME reconnect attempts");
    let _ = writeln!(out, "# TYPE telemt_me_reconnect_attempts_total counter");
    let _ = writeln!(out, "telemt_me_reconnect_attempts_total {}", stats.get_me_reconnect_attempts());
@@ -107,6 +116,30 @@ fn render_metrics(stats: &Stats) -> String {
    let _ = writeln!(out, "# TYPE telemt_me_reconnect_success_total counter");
    let _ = writeln!(out, "telemt_me_reconnect_success_total {}", stats.get_me_reconnect_success());
    let _ = writeln!(out, "# HELP telemt_me_crc_mismatch_total ME CRC mismatches");
    let _ = writeln!(out, "# TYPE telemt_me_crc_mismatch_total counter");
    let _ = writeln!(out, "telemt_me_crc_mismatch_total {}", stats.get_me_crc_mismatch());
    let _ = writeln!(out, "# HELP telemt_me_seq_mismatch_total ME sequence mismatches");
    let _ = writeln!(out, "# TYPE telemt_me_seq_mismatch_total counter");
    let _ = writeln!(out, "telemt_me_seq_mismatch_total {}", stats.get_me_seq_mismatch());
    let _ = writeln!(out, "# HELP telemt_me_route_drop_no_conn_total ME route drops: no conn");
    let _ = writeln!(out, "# TYPE telemt_me_route_drop_no_conn_total counter");
    let _ = writeln!(out, "telemt_me_route_drop_no_conn_total {}", stats.get_me_route_drop_no_conn());
    let _ = writeln!(out, "# HELP telemt_me_route_drop_channel_closed_total ME route drops: channel closed");
    let _ = writeln!(out, "# TYPE telemt_me_route_drop_channel_closed_total counter");
    let _ = writeln!(out, "telemt_me_route_drop_channel_closed_total {}", stats.get_me_route_drop_channel_closed());
    let _ = writeln!(out, "# HELP telemt_me_route_drop_queue_full_total ME route drops: queue full");
    let _ = writeln!(out, "# TYPE telemt_me_route_drop_queue_full_total counter");
    let _ = writeln!(out, "telemt_me_route_drop_queue_full_total {}", stats.get_me_route_drop_queue_full());
    let _ = writeln!(out, "# HELP telemt_secure_padding_invalid_total Invalid secure frame lengths");
    let _ = writeln!(out, "# TYPE telemt_secure_padding_invalid_total counter");
    let _ = writeln!(out, "telemt_secure_padding_invalid_total {}", stats.get_secure_padding_invalid());
    let _ = writeln!(out, "# HELP telemt_user_connections_total Per-user total connections");
    let _ = writeln!(out, "# TYPE telemt_user_connections_total counter");
    let _ = writeln!(out, "# HELP telemt_user_connections_current Per-user active connections");
@@ -193,21 +226,20 @@ mod tests {
        stats.increment_connects_all();
        stats.increment_connects_all();
-        let port = 19091u16;
+        let req = Request::builder()
-        let s = stats.clone();
+            .uri("/metrics")
-        tokio::spawn(async move {
+            .body(())
-            serve(port, s, vec![]).await;
+            .unwrap();
-        });
+        let resp = handle(req, &stats).unwrap();
-        tokio::time::sleep(std::time::Duration::from_millis(50)).await;
+        assert_eq!(resp.status(), StatusCode::OK);
        let body = resp.into_body().collect().await.unwrap().to_bytes();
        assert!(std::str::from_utf8(body.as_ref()).unwrap().contains("telemt_connections_total 3"));
-        let resp = reqwest::get(format!("http://127.0.0.1:{}/metrics", port))
+        let req404 = Request::builder()
-            .await.unwrap();
+            .uri("/other")
-        assert_eq!(resp.status(), 200);
+            .body(())
-        let body = resp.text().await.unwrap();
+            .unwrap();
-        assert!(body.contains("telemt_connections_total 3"));
+        let resp404 = handle(req404, &stats).unwrap();
-
+        assert_eq!(resp404.status(), StatusCode::NOT_FOUND);
        let resp404 = reqwest::get(format!("http://127.0.0.1:{}/other", port))
            .await.unwrap();
        assert_eq!(resp404.status(), 404);
    }
 }
--- a/src/protocol/constants.rs
+++ b/src/protocol/constants.rs
@@ -1,6 +1,8 @@
 //! Protocol constants and datacenter addresses
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
 use crate::crypto::SecureRandom;
 use std::sync::LazyLock;
 // ============= Telegram Datacenters =============
@@ -151,7 +153,32 @@ pub const TLS_RECORD_ALERT: u8 = 0x15;
 /// Maximum TLS record size
 pub const MAX_TLS_RECORD_SIZE: usize = 16384;
 /// Maximum TLS chunk size (with overhead)
-pub const MAX_TLS_CHUNK_SIZE: usize = 16384 + 24;
+/// RFC 8446 §5.2 allows up to 16384 + 256 bytes of ciphertext
 pub const MAX_TLS_CHUNK_SIZE: usize = 16384 + 256;
 /// Secure Intermediate payload is expected to be 4-byte aligned.
 pub fn is_valid_secure_payload_len(data_len: usize) -> bool {
    data_len % 4 == 0
 }
 /// Compute Secure Intermediate payload length from wire length.
 /// Secure mode strips up to 3 random tail bytes by truncating to 4-byte boundary.
 pub fn secure_payload_len_from_wire_len(wire_len: usize) -> Option<usize> {
    if wire_len < 4 {
        return None;
    }
    Some(wire_len - (wire_len % 4))
 }
 /// Generate padding length for Secure Intermediate protocol.
 /// Data must be 4-byte aligned; padding is 1..=3 so total is never divisible by 4.
 pub fn secure_padding_len(data_len: usize, rng: &SecureRandom) -> usize {
    debug_assert!(
        is_valid_secure_payload_len(data_len),
        "Secure payload must be 4-byte aligned, got {data_len}"
    );
    (rng.range(3) + 1) as usize
 }
 // ============= Timeouts =============
@@ -284,6 +311,10 @@ pub mod rpc_flags {
        pub const FLAG_ABRIDGED: u32      = 0x40000000;
        pub const FLAG_QUICKACK: u32      = 0x80000000;
    }
    pub mod rpc_crypto_flags {
        pub const USE_CRC32C: u32 = 0x800;
    }
    pub const ME_CONNECT_TIMEOUT_SECS: u64 = 5;
    pub const ME_HANDSHAKE_TIMEOUT_SECS: u64 = 10;
@@ -319,4 +350,43 @@ mod tests {
        assert_eq!(TG_DATACENTERS_V4.len(), 5);
        assert_eq!(TG_DATACENTERS_V6.len(), 5);
    }
-}
+
    #[test]
    fn secure_padding_never_produces_aligned_total() {
        let rng = SecureRandom::new();
        for data_len in (0..1000).step_by(4) {
            for _ in 0..100 {
                let padding = secure_padding_len(data_len, &rng);
                assert!(
                    padding <= 3,
                    "padding out of range: data_len={data_len}, padding={padding}"
                );
                assert_ne!(
                    (data_len + padding) % 4,
                    0,
                    "invariant violated: data_len={data_len}, padding={padding}, total={}",
                    data_len + padding
                );
            }
        }
    }
    #[test]
    fn secure_wire_len_roundtrip_for_aligned_payload() {
        for payload_len in (4..4096).step_by(4) {
            for padding in 0..=3usize {
                let wire_len = payload_len + padding;
                let recovered = secure_payload_len_from_wire_len(wire_len);
                assert_eq!(recovered, Some(payload_len));
            }
        }
    }
    #[test]
    fn secure_wire_len_rejects_too_short_frames() {
        assert_eq!(secure_payload_len_from_wire_len(0), None);
        assert_eq!(secure_payload_len_from_wire_len(1), None);
        assert_eq!(secure_payload_len_from_wire_len(2), None);
        assert_eq!(secure_payload_len_from_wire_len(3), None);
    }
 }
--- a/src/protocol/tls.rs
+++ b/src/protocol/tls.rs
@@ -32,6 +32,7 @@ pub const TIME_SKEW_MAX: i64 = 10 * 60;  // 10 minutes after
 mod extension_type {
    pub const KEY_SHARE: u16 = 0x0033;
    pub const SUPPORTED_VERSIONS: u16 = 0x002b;
    pub const ALPN: u16 = 0x0010;
 }
 /// TLS Cipher Suites
@@ -62,6 +63,7 @@ pub struct TlsValidation {
 // ============= TLS Extension Builder =============
 /// Builder for TLS extensions with correct length calculation
 #[derive(Clone)]
 struct TlsExtensionBuilder {
    extensions: Vec<u8>,
 }
@@ -108,6 +110,27 @@ impl TlsExtensionBuilder {
        self
    }
    /// Add ALPN extension with a single selected protocol.
    fn add_alpn(&mut self, proto: &[u8]) -> &mut Self {
        // Extension type: ALPN (0x0010)
        self.extensions.extend_from_slice(&extension_type::ALPN.to_be_bytes());
        // ALPN extension format:
        // extension_data length (2 bytes)
        //   protocols length (2 bytes)
        //     protocol name length (1 byte)
        //     protocol name bytes
        let proto_len = proto.len() as u8;
        let list_len: u16 = 1 + proto_len as u16;
        let ext_len: u16 = 2 + list_len;
        self.extensions.extend_from_slice(&ext_len.to_be_bytes());
        self.extensions.extend_from_slice(&list_len.to_be_bytes());
        self.extensions.push(proto_len);
        self.extensions.extend_from_slice(proto);
        self
    }
    /// Build final extensions with length prefix
    fn build(self) -> Vec<u8> {
@@ -144,6 +167,8 @@ struct ServerHelloBuilder {
    compression: u8,
    /// Extensions
    extensions: TlsExtensionBuilder,
    /// Selected ALPN protocol (if any)
    alpn: Option<Vec<u8>>,
 }
 impl ServerHelloBuilder {
@@ -154,6 +179,7 @@ impl ServerHelloBuilder {
            cipher_suite: cipher_suite::TLS_AES_128_GCM_SHA256,
            compression: 0x00,
            extensions: TlsExtensionBuilder::new(),
            alpn: None,
        }
    }
@@ -167,10 +193,19 @@ impl ServerHelloBuilder {
        self.extensions.add_supported_versions(0x0304);
        self
    }
    fn with_alpn(mut self, proto: Option<Vec<u8>>) -> Self {
        self.alpn = proto;
        self
    }
    /// Build ServerHello message (without record header)
    fn build_message(&self) -> Vec<u8> {
-        let extensions = self.extensions.extensions.clone();
+        let mut ext_builder = self.extensions.clone();
        if let Some(ref alpn) = self.alpn {
            ext_builder.add_alpn(alpn);
        }
        let extensions = ext_builder.extensions.clone();
        let extensions_len = extensions.len() as u16;
        // Calculate total length
@@ -350,13 +385,19 @@ pub fn build_server_hello(
    session_id: &[u8],
    fake_cert_len: usize,
    rng: &SecureRandom,
    alpn: Option<Vec<u8>>,
    new_session_tickets: u8,
 ) -> Vec<u8> {
    const MIN_APP_DATA: usize = 64;
    const MAX_APP_DATA: usize = 16640; // RFC 8446 §5.2 upper bound
    let fake_cert_len = fake_cert_len.max(MIN_APP_DATA).min(MAX_APP_DATA);
    let x25519_key = gen_fake_x25519_key(rng);
    // Build ServerHello
    let server_hello = ServerHelloBuilder::new(session_id.to_vec())
        .with_x25519_key(&x25519_key)
        .with_tls13_version()
        .with_alpn(alpn)
        .build_record();
    // Build Change Cipher Spec record
@@ -373,15 +414,35 @@ pub fn build_server_hello(
    app_data_record.push(TLS_RECORD_APPLICATION);
    app_data_record.extend_from_slice(&TLS_VERSION);
    app_data_record.extend_from_slice(&(fake_cert_len as u16).to_be_bytes());
    // Fill ApplicationData with fully random bytes of desired length to avoid
    // deterministic DPI fingerprints (fixed inner content type markers).
    app_data_record.extend_from_slice(&fake_cert);
    // Build optional NewSessionTicket records (TLS 1.3 handshake messages are encrypted;
    // here we mimic with opaque ApplicationData records of plausible size).
    let mut tickets = Vec::new();
    if new_session_tickets > 0 {
        for _ in 0..new_session_tickets {
            let ticket_len: usize = rng.range(48) + 48; // 48-95 bytes
            let mut record = Vec::with_capacity(5 + ticket_len);
            record.push(TLS_RECORD_APPLICATION);
            record.extend_from_slice(&TLS_VERSION);
            record.extend_from_slice(&(ticket_len as u16).to_be_bytes());
            record.extend_from_slice(&rng.bytes(ticket_len));
            tickets.push(record);
        }
    }
    // Combine all records
    let mut response = Vec::with_capacity(
-        server_hello.len() + change_cipher_spec.len() + app_data_record.len()
+        server_hello.len() + change_cipher_spec.len() + app_data_record.len() + tickets.iter().map(|r| r.len()).sum::<usize>()
    );
    response.extend_from_slice(&server_hello);
    response.extend_from_slice(&change_cipher_spec);
    response.extend_from_slice(&app_data_record);
    for t in &tickets {
        response.extend_from_slice(t);
    }
    // Compute HMAC for the response
    let mut hmac_input = Vec::with_capacity(TLS_DIGEST_LEN + response.len());
@@ -397,6 +458,131 @@ pub fn build_server_hello(
    response
 }
 /// Extract SNI (server_name) from a TLS ClientHello.
 pub fn extract_sni_from_client_hello(handshake: &[u8]) -> Option<String> {
    if handshake.len() < 43 || handshake[0] != TLS_RECORD_HANDSHAKE {
        return None;
    }
    let mut pos = 5; // after record header
    if handshake.get(pos).copied()? != 0x01 {
        return None; // not ClientHello
    }
    // Handshake length bytes
    pos += 4; // type + len (3)
    // version (2) + random (32)
    pos += 2 + 32;
    if pos + 1 > handshake.len() {
        return None;
    }
    let session_id_len = *handshake.get(pos)? as usize;
    pos += 1 + session_id_len;
    if pos + 2 > handshake.len() {
        return None;
    }
    let cipher_suites_len = u16::from_be_bytes([handshake[pos], handshake[pos + 1]]) as usize;
    pos += 2 + cipher_suites_len;
    if pos + 1 > handshake.len() {
        return None;
    }
    let comp_len = *handshake.get(pos)? as usize;
    pos += 1 + comp_len;
    if pos + 2 > handshake.len() {
        return None;
    }
    let ext_len = u16::from_be_bytes([handshake[pos], handshake[pos + 1]]) as usize;
    pos += 2;
    let ext_end = pos + ext_len;
    if ext_end > handshake.len() {
        return None;
    }
    while pos + 4 <= ext_end {
        let etype = u16::from_be_bytes([handshake[pos], handshake[pos + 1]]);
        let elen = u16::from_be_bytes([handshake[pos + 2], handshake[pos + 3]]) as usize;
        pos += 4;
        if pos + elen > ext_end {
            break;
        }
        if etype == 0x0000 && elen >= 5 {
            // server_name extension
            let list_len = u16::from_be_bytes([handshake[pos], handshake[pos + 1]]) as usize;
            let mut sn_pos = pos + 2;
            let sn_end = std::cmp::min(sn_pos + list_len, pos + elen);
            while sn_pos + 3 <= sn_end {
                let name_type = handshake[sn_pos];
                let name_len = u16::from_be_bytes([handshake[sn_pos + 1], handshake[sn_pos + 2]]) as usize;
                sn_pos += 3;
                if sn_pos + name_len > sn_end {
                    break;
                }
                if name_type == 0 && name_len > 0 {
                    if let Ok(host) = std::str::from_utf8(&handshake[sn_pos..sn_pos + name_len]) {
                        return Some(host.to_string());
                    }
                }
                sn_pos += name_len;
            }
        }
        pos += elen;
    }
    None
 }
 /// Extract ALPN protocol list from ClientHello, return in offered order.
 pub fn extract_alpn_from_client_hello(handshake: &[u8]) -> Vec<Vec<u8>> {
    let mut pos = 5; // after record header
    if handshake.get(pos) != Some(&0x01) {
        return Vec::new();
    }
    pos += 4; // type + len
    pos += 2 + 32; // version + random
    if pos >= handshake.len() { return Vec::new(); }
    let session_id_len = *handshake.get(pos).unwrap_or(&0) as usize;
    pos += 1 + session_id_len;
    if pos + 2 > handshake.len() { return Vec::new(); }
    let cipher_len = u16::from_be_bytes([handshake[pos], handshake[pos+1]]) as usize;
    pos += 2 + cipher_len;
    if pos >= handshake.len() { return Vec::new(); }
    let comp_len = *handshake.get(pos).unwrap_or(&0) as usize;
    pos += 1 + comp_len;
    if pos + 2 > handshake.len() { return Vec::new(); }
    let ext_len = u16::from_be_bytes([handshake[pos], handshake[pos+1]]) as usize;
    pos += 2;
    let ext_end = pos + ext_len;
    if ext_end > handshake.len() { return Vec::new(); }
    let mut out = Vec::new();
    while pos + 4 <= ext_end {
        let etype = u16::from_be_bytes([handshake[pos], handshake[pos+1]]);
        let elen = u16::from_be_bytes([handshake[pos+2], handshake[pos+3]]) as usize;
        pos += 4;
        if pos + elen > ext_end { break; }
        if etype == extension_type::ALPN && elen >= 3 {
            let list_len = u16::from_be_bytes([handshake[pos], handshake[pos+1]]) as usize;
            let mut lp = pos + 2;
            let list_end = (pos + 2).saturating_add(list_len).min(pos + elen);
            while lp + 1 <= list_end {
                let plen = handshake[lp] as usize;
                lp += 1;
                if lp + plen > list_end { break; }
                out.push(handshake[lp..lp+plen].to_vec());
                lp += plen;
            }
            break;
        }
        pos += elen;
    }
    out
 }
 /// Check if bytes look like a TLS ClientHello
 pub fn is_tls_handshake(first_bytes: &[u8]) -> bool {
    if first_bytes.len() < 3 {
@@ -575,7 +761,7 @@ mod tests {
        let session_id = vec![0xAA; 32];
        let rng = SecureRandom::new();
-        let response = build_server_hello(secret, &client_digest, &session_id, 2048, &rng);
+        let response = build_server_hello(secret, &client_digest, &session_id, 2048, &rng, None, 0);
        // Should have at least 3 records
        assert!(response.len() > 100);
@@ -608,8 +794,8 @@ mod tests {
        let session_id = vec![0xAA; 32];
        let rng = SecureRandom::new();
-        let response1 = build_server_hello(secret, &client_digest, &session_id, 1024, &rng);
+        let response1 = build_server_hello(secret, &client_digest, &session_id, 1024, &rng, None, 0);
-        let response2 = build_server_hello(secret, &client_digest, &session_id, 1024, &rng);
+        let response2 = build_server_hello(secret, &client_digest, &session_id, 1024, &rng, None, 0);
        // Digest position should have non-zero data
        let digest1 = &response1[TLS_DIGEST_POS..TLS_DIGEST_POS + TLS_DIGEST_LEN];
@@ -668,4 +854,101 @@ mod tests {
        // Should return None (no match) but not panic
        assert!(result.is_none());
    }
    fn build_client_hello_with_exts(exts: Vec<(u16, Vec<u8>)>, host: &str) -> Vec<u8> {
        let mut body = Vec::new();
        body.extend_from_slice(&TLS_VERSION); // legacy version
        body.extend_from_slice(&[0u8; 32]); // random
        body.push(0); // session id len
        body.extend_from_slice(&2u16.to_be_bytes()); // cipher suites len
        body.extend_from_slice(&[0x13, 0x01]); // TLS_AES_128_GCM_SHA256
        body.push(1); // compression len
        body.push(0); // null compression
        // Build SNI extension
        let host_bytes = host.as_bytes();
        let mut sni_ext = Vec::new();
        sni_ext.extend_from_slice(&(host_bytes.len() as u16 + 3).to_be_bytes());
        sni_ext.push(0);
        sni_ext.extend_from_slice(&(host_bytes.len() as u16).to_be_bytes());
        sni_ext.extend_from_slice(host_bytes);
        let mut ext_blob = Vec::new();
        for (typ, data) in exts {
            ext_blob.extend_from_slice(&typ.to_be_bytes());
            ext_blob.extend_from_slice(&(data.len() as u16).to_be_bytes());
            ext_blob.extend_from_slice(&data);
        }
        // SNI last
        ext_blob.extend_from_slice(&0x0000u16.to_be_bytes());
        ext_blob.extend_from_slice(&(sni_ext.len() as u16).to_be_bytes());
        ext_blob.extend_from_slice(&sni_ext);
        body.extend_from_slice(&(ext_blob.len() as u16).to_be_bytes());
        body.extend_from_slice(&ext_blob);
        let mut handshake = Vec::new();
        handshake.push(0x01); // ClientHello
        let len_bytes = (body.len() as u32).to_be_bytes();
        handshake.extend_from_slice(&len_bytes[1..4]);
        handshake.extend_from_slice(&body);
        let mut record = Vec::new();
        record.push(TLS_RECORD_HANDSHAKE);
        record.extend_from_slice(&[0x03, 0x01]);
        record.extend_from_slice(&(handshake.len() as u16).to_be_bytes());
        record.extend_from_slice(&handshake);
        record
    }
    #[test]
    fn test_extract_sni_with_grease_extension() {
        // GREASE type 0x0a0a with zero length before SNI
        let ch = build_client_hello_with_exts(vec![(0x0a0a, Vec::new())], "example.com");
        let sni = extract_sni_from_client_hello(&ch);
        assert_eq!(sni.as_deref(), Some("example.com"));
    }
    #[test]
    fn test_extract_sni_tolerates_empty_unknown_extension() {
        let ch = build_client_hello_with_exts(vec![(0x1234, Vec::new())], "test.local");
        let sni = extract_sni_from_client_hello(&ch);
        assert_eq!(sni.as_deref(), Some("test.local"));
    }
    #[test]
    fn test_extract_alpn_single() {
        let mut alpn_data = Vec::new();
        // list length = 3 (1 length byte + "h2")
        alpn_data.extend_from_slice(&3u16.to_be_bytes());
        alpn_data.push(2);
        alpn_data.extend_from_slice(b"h2");
        let ch = build_client_hello_with_exts(vec![(0x0010, alpn_data)], "alpn.test");
        let alpn = extract_alpn_from_client_hello(&ch);
        let alpn_str: Vec<String> = alpn
            .iter()
            .map(|p| std::str::from_utf8(p).unwrap().to_string())
            .collect();
        assert_eq!(alpn_str, vec!["h2"]);
    }
    #[test]
    fn test_extract_alpn_multiple() {
        let mut alpn_data = Vec::new();
        // list length = 11 (sum of per-proto lengths including length bytes)
        alpn_data.extend_from_slice(&11u16.to_be_bytes());
        alpn_data.push(2);
        alpn_data.extend_from_slice(b"h2");
        alpn_data.push(4);
        alpn_data.extend_from_slice(b"spdy");
        alpn_data.push(2);
        alpn_data.extend_from_slice(b"h3");
        let ch = build_client_hello_with_exts(vec![(0x0010, alpn_data)], "alpn.test");
        let alpn = extract_alpn_from_client_hello(&ch);
        let alpn_str: Vec<String> = alpn
            .iter()
            .map(|p| std::str::from_utf8(p).unwrap().to_string())
            .collect();
        assert_eq!(alpn_str, vec!["h2", "spdy", "h3"]);
    }
 }
--- a/src/proxy/client.rs
+++ b/src/proxy/client.rs
@@ -30,7 +30,9 @@ use crate::protocol::tls;
 use crate::stats::{ReplayChecker, Stats};
 use crate::stream::{BufferPool, CryptoReader, CryptoWriter};
 use crate::transport::middle_proxy::MePool;
-use crate::transport::{UpstreamManager, configure_client_socket};
+use crate::transport::{UpstreamManager, configure_client_socket, parse_proxy_protocol};
 use crate::transport::socket::normalize_ip;
 use crate::tls_front::TlsFrontCache;
 use crate::proxy::direct_relay::handle_via_direct;
 use crate::proxy::handshake::{HandshakeSuccess, handle_mtproto_handshake, handle_tls_handshake};
@@ -47,13 +49,36 @@ pub async fn handle_client_stream<S>(
    buffer_pool: Arc<BufferPool>,
    rng: Arc<SecureRandom>,
    me_pool: Option<Arc<MePool>>,
    tls_cache: Option<Arc<TlsFrontCache>>,
    ip_tracker: Arc<UserIpTracker>,
    proxy_protocol_enabled: bool,
 ) -> Result<()>
 where
    S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
 {
    stats.increment_connects_all();
-    debug!(peer = %peer, "New connection (generic stream)");
+    let mut real_peer = normalize_ip(peer);
    if proxy_protocol_enabled {
        match parse_proxy_protocol(&mut stream, peer).await {
            Ok(info) => {
                debug!(
                    peer = %peer,
                    client = %info.src_addr,
                    version = info.version,
                    "PROXY protocol header parsed"
                );
                real_peer = normalize_ip(info.src_addr);
            }
            Err(e) => {
                stats.increment_connects_bad();
                warn!(peer = %peer, error = %e, "Invalid PROXY protocol header");
                return Err(e);
            }
        }
    }
    debug!(peer = %real_peer, "New connection (generic stream)");
    let handshake_timeout = Duration::from_secs(config.timeouts.client_handshake);
    let stats_for_timeout = stats.clone();
@@ -69,13 +94,13 @@ where
        stream.read_exact(&mut first_bytes).await?;
        let is_tls = tls::is_tls_handshake(&first_bytes[..3]);
-        debug!(peer = %peer, is_tls = is_tls, "Handshake type detected");
+        debug!(peer = %real_peer, is_tls = is_tls, "Handshake type detected");
        if is_tls {
            let tls_len = u16::from_be_bytes([first_bytes[3], first_bytes[4]]) as usize;
            if tls_len < 512 {
-                debug!(peer = %peer, tls_len = tls_len, "TLS handshake too short");
+                debug!(peer = %real_peer, tls_len = tls_len, "TLS handshake too short");
                stats.increment_connects_bad();
                let (reader, writer) = tokio::io::split(stream);
                handle_bad_client(reader, writer, &first_bytes, &config).await;
@@ -89,8 +114,8 @@ where
            let (read_half, write_half) = tokio::io::split(stream);
            let (mut tls_reader, tls_writer, _tls_user) = match handle_tls_handshake(
-                &handshake, read_half, write_half, peer,
+                &handshake, read_half, write_half, real_peer,
-                &config, &replay_checker, &rng,
+                &config, &replay_checker, &rng, tls_cache.clone(),
            ).await {
                HandshakeResult::Success(result) => result,
                HandshakeResult::BadClient { reader, writer } => {
@@ -107,7 +132,7 @@ where
                .map_err(|_| ProxyError::InvalidHandshake("Short MTProto handshake".into()))?;
            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
-                &mtproto_handshake, tls_reader, tls_writer, peer,
+                &mtproto_handshake, tls_reader, tls_writer, real_peer,
                &config, &replay_checker, true,
            ).await {
                HandshakeResult::Success(result) => result,
@@ -123,12 +148,12 @@ where
                RunningClientHandler::handle_authenticated_static(
                    crypto_reader, crypto_writer, success,
                    upstream_manager, stats, config, buffer_pool, rng, me_pool,
-                    local_addr, peer, ip_tracker.clone(),
+                    local_addr, real_peer, ip_tracker.clone(),
                ),
            )))
        } else {
            if !config.general.modes.classic && !config.general.modes.secure {
-                debug!(peer = %peer, "Non-TLS modes disabled");
+                debug!(peer = %real_peer, "Non-TLS modes disabled");
                stats.increment_connects_bad();
                let (reader, writer) = tokio::io::split(stream);
                handle_bad_client(reader, writer, &first_bytes, &config).await;
@@ -142,7 +167,7 @@ where
            let (read_half, write_half) = tokio::io::split(stream);
            let (crypto_reader, crypto_writer, success) = match handle_mtproto_handshake(
-                &handshake, read_half, write_half, peer,
+                &handshake, read_half, write_half, real_peer,
                &config, &replay_checker, false,
            ).await {
                HandshakeResult::Success(result) => result,
@@ -166,7 +191,7 @@ where
                    rng,
                    me_pool,
                    local_addr,
-                    peer,
+                    real_peer,
                    ip_tracker.clone(),
                )
            )))
@@ -203,7 +228,9 @@ pub struct RunningClientHandler {
    buffer_pool: Arc<BufferPool>,
    rng: Arc<SecureRandom>,
    me_pool: Option<Arc<MePool>>,
    tls_cache: Option<Arc<TlsFrontCache>>,
    ip_tracker: Arc<UserIpTracker>,
    proxy_protocol_enabled: bool,
 }
 impl ClientHandler {
@@ -217,7 +244,9 @@ impl ClientHandler {
        buffer_pool: Arc<BufferPool>,
        rng: Arc<SecureRandom>,
        me_pool: Option<Arc<MePool>>,
        tls_cache: Option<Arc<TlsFrontCache>>,
        ip_tracker: Arc<UserIpTracker>,
        proxy_protocol_enabled: bool,
    ) -> RunningClientHandler {
        RunningClientHandler {
            stream,
@@ -229,7 +258,9 @@ impl ClientHandler {
            buffer_pool,
            rng,
            me_pool,
            tls_cache,
            ip_tracker,
            proxy_protocol_enabled,
        }
    }
 }
@@ -238,6 +269,7 @@ impl RunningClientHandler {
    pub async fn run(mut self) -> Result<()> {
        self.stats.increment_connects_all();
        self.peer = normalize_ip(self.peer);
        let peer = self.peer;
        let ip_tracker = self.ip_tracker.clone();
        debug!(peer = %peer, "New connection");
@@ -275,6 +307,25 @@ impl RunningClientHandler {
    }
    async fn do_handshake(mut self) -> Result<HandshakeOutcome> {
        if self.proxy_protocol_enabled {
            match parse_proxy_protocol(&mut self.stream, self.peer).await {
                Ok(info) => {
                    debug!(
                        peer = %self.peer,
                        client = %info.src_addr,
                        version = info.version,
                        "PROXY protocol header parsed"
                    );
                    self.peer = normalize_ip(info.src_addr);
                }
                Err(e) => {
                    self.stats.increment_connects_bad();
                    warn!(peer = %self.peer, error = %e, "Invalid PROXY protocol header");
                    return Err(e);
                }
            }
        }
        let mut first_bytes = [0u8; 5];
        self.stream.read_exact(&mut first_bytes).await?;
@@ -327,6 +378,7 @@ impl RunningClientHandler {
            &config,
            &replay_checker,
            &self.rng,
            self.tls_cache.clone(),
        )
        .await
        {
--- a/src/proxy/direct_relay.rs
+++ b/src/proxy/direct_relay.rs
@@ -178,8 +178,9 @@ async fn do_tg_handshake_static(
    let (read_half, write_half) = stream.into_split();
    let max_pending = config.general.crypto_pending_buffer;
    Ok((
        CryptoReader::new(read_half, tg_decryptor),
-        CryptoWriter::new(write_half, tg_encryptor),
+        CryptoWriter::new(write_half, tg_encryptor, max_pending),
    ))
 }
--- a/src/proxy/handshake.rs
+++ b/src/proxy/handshake.rs
@@ -1,17 +1,21 @@
 //! MTProto Handshake
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::time::Duration;
 use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt};
 use tracing::{debug, warn, trace, info};
 use zeroize::Zeroize;
 use crate::crypto::{sha256, AesCtr, SecureRandom};
 use rand::Rng;
 use crate::protocol::constants::*;
 use crate::protocol::tls;
 use crate::stream::{FakeTlsReader, FakeTlsWriter, CryptoReader, CryptoWriter};
 use crate::error::{ProxyError, HandshakeResult};
 use crate::stats::ReplayChecker;
 use crate::config::ProxyConfig;
 use crate::tls_front::{TlsFrontCache, emulator};
 /// Result of successful handshake
 ///
@@ -55,6 +59,7 @@ pub async fn handle_tls_handshake<R, W>(
    config: &ProxyConfig,
    replay_checker: &ReplayChecker,
    rng: &SecureRandom,
    tls_cache: Option<Arc<TlsFrontCache>>,
 ) -> HandshakeResult<(FakeTlsReader<R>, FakeTlsWriter<W>, String), R, W>
 where
    R: AsyncRead + Unpin,
@@ -102,13 +107,85 @@ where
        None => return HandshakeResult::BadClient { reader, writer },
    };
-    let response = tls::build_server_hello(
+    let cached = if config.censorship.tls_emulation {
-        secret,
+        if let Some(cache) = tls_cache.as_ref() {
-        &validation.digest,
+            let selected_domain = if let Some(sni) = tls::extract_sni_from_client_hello(handshake) {
-        &validation.session_id,
+                if cache.contains_domain(&sni).await {
-        config.censorship.fake_cert_len,
+                    sni
-        rng,
+                } else {
-    );
+                    config.censorship.tls_domain.clone()
                }
            } else {
                config.censorship.tls_domain.clone()
            };
            let cached_entry = cache.get(&selected_domain).await;
            let use_full_cert_payload = cache
                .take_full_cert_budget_for_ip(
                    peer.ip(),
                    Duration::from_secs(config.censorship.tls_full_cert_ttl_secs),
                )
                .await;
            Some((cached_entry, use_full_cert_payload))
        } else {
            None
        }
    } else {
        None
    };
    let alpn_list = if config.censorship.alpn_enforce {
        tls::extract_alpn_from_client_hello(handshake)
    } else {
        Vec::new()
    };
    let selected_alpn = if config.censorship.alpn_enforce {
        if alpn_list.iter().any(|p| p == b"h2") {
            Some(b"h2".to_vec())
        } else if alpn_list.iter().any(|p| p == b"http/1.1") {
            Some(b"http/1.1".to_vec())
        } else {
            None
        }
    } else {
        None
    };
    let response = if let Some((cached_entry, use_full_cert_payload)) = cached {
        emulator::build_emulated_server_hello(
            secret,
            &validation.digest,
            &validation.session_id,
            &cached_entry,
            use_full_cert_payload,
            rng,
            selected_alpn.clone(),
            config.censorship.tls_new_session_tickets,
        )
    } else {
        tls::build_server_hello(
            secret,
            &validation.digest,
            &validation.session_id,
            config.censorship.fake_cert_len,
            rng,
            selected_alpn.clone(),
            config.censorship.tls_new_session_tickets,
        )
    };
    // Optional anti-fingerprint delay before sending ServerHello.
    if config.censorship.server_hello_delay_max_ms > 0 {
        let min = config.censorship.server_hello_delay_min_ms;
        let max = config.censorship.server_hello_delay_max_ms.max(min);
        let delay_ms = if max == min {
            max
        } else {
            rand::rng().random_range(min..=max)
        };
        if delay_ms > 0 {
            tokio::time::sleep(std::time::Duration::from_millis(delay_ms)).await;
        }
    }
    debug!(peer = %peer, response_len = response.len(), "Sending TLS ServerHello");
@@ -190,7 +267,11 @@ where
        let mode_ok = match proto_tag {
            ProtoTag::Secure => {
-                if is_tls { config.general.modes.tls } else { config.general.modes.secure }
+                if is_tls {
                    config.general.modes.tls || config.general.modes.secure
                } else {
                    config.general.modes.secure || config.general.modes.tls
                }
            }
            ProtoTag::Intermediate | ProtoTag::Abridged => config.general.modes.classic,
        };
@@ -237,9 +318,10 @@ where
            "MTProto handshake successful"
        );
        let max_pending = config.general.crypto_pending_buffer;
        return HandshakeResult::Success((
            CryptoReader::new(reader, decryptor),
-            CryptoWriter::new(writer, encryptor),
+            CryptoWriter::new(writer, encryptor, max_pending),
            success,
        ));
    }
--- a/src/proxy/masking.rs
+++ b/src/proxy/masking.rs
@@ -1,7 +1,7 @@
 //! Masking - forward unrecognized traffic to mask host
 use std::time::Duration;
 use std::str;
 use std::time::Duration;
 use tokio::net::TcpStream;
 #[cfg(unix)]
 use tokio::net::UnixStream;
@@ -11,9 +11,9 @@ use tracing::debug;
 use crate::config::ProxyConfig;
 const MASK_TIMEOUT: Duration = Duration::from_secs(5);
-    /// Maximum duration for the entire masking relay.
+/// Maximum duration for the entire masking relay.
-    /// Limits resource consumption from slow-loris attacks and port scanners.
+/// Limits resource consumption from slow-loris attacks and port scanners.
-    const MASK_RELAY_TIMEOUT: Duration = Duration::from_secs(60);
+const MASK_RELAY_TIMEOUT: Duration = Duration::from_secs(60);
 const MASK_BUFFER_SIZE: usize = 8192;
 /// Detect client type based on initial data
@@ -78,7 +78,9 @@ where
        match connect_result {
            Ok(Ok(stream)) => {
                let (mask_read, mask_write) = stream.into_split();
-                relay_to_mask(reader, writer, mask_read, mask_write, initial_data).await;
+                if timeout(MASK_RELAY_TIMEOUT, relay_to_mask(reader, writer, mask_read, mask_write, initial_data)).await.is_err() {
                    debug!("Mask relay timed out (unix socket)");
                }
            }
            Ok(Err(e)) => {
                debug!(error = %e, "Failed to connect to mask unix socket");
@@ -110,7 +112,9 @@ where
    match connect_result {
        Ok(Ok(stream)) => {
            let (mask_read, mask_write) = stream.into_split();
-            relay_to_mask(reader, writer, mask_read, mask_write, initial_data).await;
+            if timeout(MASK_RELAY_TIMEOUT, relay_to_mask(reader, writer, mask_read, mask_write, initial_data)).await.is_err() {
                debug!("Mask relay timed out");
            }
        }
        Ok(Err(e)) => {
            debug!(error = %e, "Failed to connect to mask host");
--- a/src/proxy/middle_relay.rs
+++ b/src/proxy/middle_relay.rs
@@ -2,24 +2,30 @@ use std::net::SocketAddr;
 use std::sync::Arc;
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt};
-use tracing::{debug, info, trace};
+use tokio::sync::{mpsc, oneshot};
 use tracing::{debug, info, trace, warn};
 use crate::config::ProxyConfig;
 use crate::crypto::SecureRandom;
 use crate::error::{ProxyError, Result};
-use crate::protocol::constants::*;
+use crate::protocol::constants::{*, secure_padding_len};
 use crate::proxy::handshake::HandshakeSuccess;
 use crate::stats::Stats;
 use crate::stream::{BufferPool, CryptoReader, CryptoWriter};
 use crate::transport::middle_proxy::{MePool, MeResponse, proto_flags_for_tag};
 enum C2MeCommand {
    Data { payload: Vec<u8>, flags: u32 },
    Close,
 }
 pub(crate) async fn handle_via_middle_proxy<R, W>(
    mut crypto_reader: CryptoReader<R>,
-    mut crypto_writer: CryptoWriter<W>,
+    crypto_writer: CryptoWriter<W>,
    success: HandshakeSuccess,
    me_pool: Arc<MePool>,
    stats: Arc<Stats>,
-    _config: Arc<ProxyConfig>,
+    config: Arc<ProxyConfig>,
    _buffer_pool: Arc<BufferPool>,
    local_addr: SocketAddr,
    rng: Arc<SecureRandom>,
@@ -41,7 +47,7 @@ where
        "Routing via Middle-End"
    );
-    let (conn_id, mut me_rx) = me_pool.registry().register().await;
+    let (conn_id, me_rx) = me_pool.registry().register().await;
    stats.increment_user_connects(&user);
    stats.increment_user_curr_connects(&user);
@@ -56,59 +62,179 @@ where
    let translated_local_addr = me_pool.translate_our_addr(local_addr);
-    let result: Result<()> = loop {
+    let frame_limit = config.general.max_client_frame;
-        tokio::select! {
+
-            client_frame = read_client_payload(&mut crypto_reader, proto_tag) => {
+    let (c2me_tx, mut c2me_rx) = mpsc::channel::<C2MeCommand>(1024);
-                match client_frame {
+    let me_pool_c2me = me_pool.clone();
-                    Ok(Some((payload, quickack))) => {
+    let c2me_sender = tokio::spawn(async move {
-                        trace!(conn_id, bytes = payload.len(), "C->ME frame");
+        while let Some(cmd) = c2me_rx.recv().await {
-                        stats.add_user_octets_from(&user, payload.len() as u64);
+            match cmd {
-                        let mut flags = proto_flags;
+                C2MeCommand::Data { payload, flags } => {
-                        if quickack {
+                    me_pool_c2me.send_proxy_req(
-                            flags |= RPC_FLAG_QUICKACK;
+                        conn_id,
-                        }
+                        success.dc_idx,
-                        if payload.len() >= 8 && payload[..8].iter().all(|b| *b == 0) {
+                        peer,
-                            flags |= RPC_FLAG_NOT_ENCRYPTED;
+                        translated_local_addr,
-                        }
+                        &payload,
-                        me_pool.send_proxy_req(
+                        flags,
-                            conn_id,
+                    ).await?;
                            success.dc_idx,
                            peer,
                            translated_local_addr,
                            &payload,
                            flags,
                        ).await?;
                    }
                    Ok(None) => {
                        debug!(conn_id, "Client EOF");
                        let _ = me_pool.send_close(conn_id).await;
                        break Ok(());
                    }
                    Err(e) => break Err(e),
                }
-            }
+                C2MeCommand::Close => {
-            me_msg = me_rx.recv() => {
+                    let _ = me_pool_c2me.send_close(conn_id).await;
-                match me_msg {
+                    return Ok(());
                    Some(MeResponse::Data { flags, data }) => {
                        trace!(conn_id, bytes = data.len(), flags, "ME->C data");
                        stats.add_user_octets_to(&user, data.len() as u64);
                        write_client_payload(&mut crypto_writer, proto_tag, flags, &data, rng.as_ref()).await?;
                    }
                    Some(MeResponse::Ack(confirm)) => {
                        trace!(conn_id, confirm, "ME->C quickack");
                        write_client_ack(&mut crypto_writer, proto_tag, confirm).await?;
                    }
                    Some(MeResponse::Close) => {
                        debug!(conn_id, "ME sent close");
                        break Ok(());
                    }
                    None => {
                        debug!(conn_id, "ME channel closed");
                        break Err(ProxyError::Proxy("ME connection lost".into()));
                    }
                }
            }
        }
        Ok(())
    });
    let (stop_tx, mut stop_rx) = oneshot::channel::<()>();
    let mut me_rx_task = me_rx;
    let stats_clone = stats.clone();
    let rng_clone = rng.clone();
    let user_clone = user.clone();
    let me_writer = tokio::spawn(async move {
        let mut writer = crypto_writer;
        let mut frame_buf = Vec::with_capacity(16 * 1024);
        loop {
            tokio::select! {
                msg = me_rx_task.recv() => {
                    match msg {
                        Some(MeResponse::Data { flags, data }) => {
                            trace!(conn_id, bytes = data.len(), flags, "ME->C data");
                            stats_clone.add_user_octets_to(&user_clone, data.len() as u64);
                            write_client_payload(
                                &mut writer,
                                proto_tag,
                                flags,
                                &data,
                                rng_clone.as_ref(),
                                &mut frame_buf,
                            )
                            .await?;
                            // Drain all immediately queued ME responses and flush once.
                            while let Ok(next) = me_rx_task.try_recv() {
                                match next {
                                    MeResponse::Data { flags, data } => {
                                        trace!(conn_id, bytes = data.len(), flags, "ME->C data (batched)");
                                        stats_clone.add_user_octets_to(&user_clone, data.len() as u64);
                                        write_client_payload(
                                            &mut writer,
                                            proto_tag,
                                            flags,
                                            &data,
                                            rng_clone.as_ref(),
                                            &mut frame_buf,
                                        ).await?;
                                    }
                                    MeResponse::Ack(confirm) => {
                                        trace!(conn_id, confirm, "ME->C quickack (batched)");
                                        write_client_ack(&mut writer, proto_tag, confirm).await?;
                                    }
                                    MeResponse::Close => {
                                        debug!(conn_id, "ME sent close (batched)");
                                        let _ = writer.flush().await;
                                        return Ok(());
                                    }
                                }
                            }
                            writer.flush().await.map_err(ProxyError::Io)?;
                        }
                        Some(MeResponse::Ack(confirm)) => {
                            trace!(conn_id, confirm, "ME->C quickack");
                            write_client_ack(&mut writer, proto_tag, confirm).await?;
                        }
                        Some(MeResponse::Close) => {
                            debug!(conn_id, "ME sent close");
                            let _ = writer.flush().await;
                            return Ok(());
                        }
                        None => {
                            debug!(conn_id, "ME channel closed");
                            return Err(ProxyError::Proxy("ME connection lost".into()));
                        }
                    }
                }
                _ = &mut stop_rx => {
                    debug!(conn_id, "ME writer stop signal");
                    return Ok(());
                }
            }
        }
    });
    let mut main_result: Result<()> = Ok(());
    let mut client_closed = false;
    let mut frame_counter: u64 = 0;
    loop {
        match read_client_payload(
            &mut crypto_reader,
            proto_tag,
            frame_limit,
            &user,
            &mut frame_counter,
            &stats,
        ).await {
            Ok(Some((payload, quickack))) => {
                trace!(conn_id, bytes = payload.len(), "C->ME frame");
                stats.add_user_octets_from(&user, payload.len() as u64);
                let mut flags = proto_flags;
                if quickack {
                    flags |= RPC_FLAG_QUICKACK;
                }
                if payload.len() >= 8 && payload[..8].iter().all(|b| *b == 0) {
                    flags |= RPC_FLAG_NOT_ENCRYPTED;
                }
                // Keep client read loop lightweight: route heavy ME send path via a dedicated task.
                if c2me_tx
                    .send(C2MeCommand::Data { payload, flags })
                    .await
                    .is_err()
                {
                    main_result = Err(ProxyError::Proxy("ME sender channel closed".into()));
                    break;
                }
            }
            Ok(None) => {
                debug!(conn_id, "Client EOF");
                client_closed = true;
                let _ = c2me_tx.send(C2MeCommand::Close).await;
                break;
            }
            Err(e) => {
                main_result = Err(e);
                break;
            }
        }
    }
    drop(c2me_tx);
    let c2me_result = c2me_sender
        .await
        .unwrap_or_else(|e| Err(ProxyError::Proxy(format!("ME sender join error: {e}"))));
    let _ = stop_tx.send(());
    let mut writer_result = me_writer
        .await
        .unwrap_or_else(|e| Err(ProxyError::Proxy(format!("ME writer join error: {e}"))));
    // When client closes, but ME channel stopped as unregistered - it isnt error
    if client_closed {
        if matches!(
            writer_result,
            Err(ProxyError::Proxy(ref msg)) if msg == "ME connection lost"
        ) {
            writer_result = Ok(());
        }
    }
    let result = match (main_result, c2me_result, writer_result) {
        (Ok(()), Ok(()), Ok(())) => Ok(()),
        (Err(e), _, _) => Err(e),
        (_, Err(e), _) => Err(e),
        (_, _, Err(e)) => Err(e),
    };
    debug!(user = %user, conn_id, "ME relay cleanup");
@@ -120,66 +246,125 @@ where
 async fn read_client_payload<R>(
    client_reader: &mut CryptoReader<R>,
    proto_tag: ProtoTag,
    max_frame: usize,
    user: &str,
    frame_counter: &mut u64,
    stats: &Stats,
 ) -> Result<Option<(Vec<u8>, bool)>>
 where
    R: AsyncRead + Unpin + Send + 'static,
 {
-    let (len, quickack) = match proto_tag {
+    loop {
-        ProtoTag::Abridged => {
+        let (len, quickack, raw_len_bytes) = match proto_tag {
-            let mut first = [0u8; 1];
+            ProtoTag::Abridged => {
-            match client_reader.read_exact(&mut first).await {
+                let mut first = [0u8; 1];
-                Ok(_) => {}
+                match client_reader.read_exact(&mut first).await {
-                Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => return Ok(None),
+                    Ok(_) => {}
-                Err(e) => return Err(ProxyError::Io(e)),
+                    Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => return Ok(None),
                    Err(e) => return Err(ProxyError::Io(e)),
                }
                let quickack = (first[0] & 0x80) != 0;
                let len_words = if (first[0] & 0x7f) == 0x7f {
                    let mut ext = [0u8; 3];
                    client_reader
                        .read_exact(&mut ext)
                        .await
                        .map_err(ProxyError::Io)?;
                    u32::from_le_bytes([ext[0], ext[1], ext[2], 0]) as usize
                } else {
                    (first[0] & 0x7f) as usize
                };
                let len = len_words
                    .checked_mul(4)
                    .ok_or_else(|| ProxyError::Proxy("Abridged frame length overflow".into()))?;
                (len, quickack, None)
            }
-
+            ProtoTag::Intermediate | ProtoTag::Secure => {
-            let quickack = (first[0] & 0x80) != 0;
+                let mut len_buf = [0u8; 4];
-            let len_words = if (first[0] & 0x7f) == 0x7f {
+                match client_reader.read_exact(&mut len_buf).await {
-                let mut ext = [0u8; 3];
+                    Ok(_) => {}
-                client_reader
+                    Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => return Ok(None),
-                    .read_exact(&mut ext)
+                    Err(e) => return Err(ProxyError::Io(e)),
-                    .await
+                }
-                    .map_err(ProxyError::Io)?;
+                let quickack = (len_buf[3] & 0x80) != 0;
-                u32::from_le_bytes([ext[0], ext[1], ext[2], 0]) as usize
+                (
-            } else {
+                    (u32::from_le_bytes(len_buf) & 0x7fff_ffff) as usize,
-                (first[0] & 0x7f) as usize
+                    quickack,
-            };
+                    Some(len_buf),
-
+                )
            let len = len_words
                .checked_mul(4)
                .ok_or_else(|| ProxyError::Proxy("Abridged frame length overflow".into()))?;
            (len, quickack)
        }
        ProtoTag::Intermediate | ProtoTag::Secure => {
            let mut len_buf = [0u8; 4];
            match client_reader.read_exact(&mut len_buf).await {
                Ok(_) => {}
                Err(e) if e.kind() == std::io::ErrorKind::UnexpectedEof => return Ok(None),
                Err(e) => return Err(ProxyError::Io(e)),
            }
-            let quickack = (len_buf[3] & 0x80) != 0;
+        };
-            ((u32::from_le_bytes(len_buf) & 0x7fff_ffff) as usize, quickack)
+
        if len == 0 {
            continue;
        }
-    };
+        if len < 4 && proto_tag != ProtoTag::Abridged {
-
+            warn!(
-    if len > 16 * 1024 * 1024 {
+                user = %user,
-        return Err(ProxyError::Proxy(format!("Frame too large: {len}")));
+                len,
-    }
+                proto = ?proto_tag,
-
+                "Frame too small — corrupt or probe"
-    let mut payload = vec![0u8; len];
+            );
-    client_reader
+            return Err(ProxyError::Proxy(format!("Frame too small: {len}")));
        .read_exact(&mut payload)
        .await
        .map_err(ProxyError::Io)?;
    // Secure Intermediate: remove random padding (last len%4 bytes)
    if proto_tag == ProtoTag::Secure {
        let rem = len % 4;
        if rem != 0 && payload.len() >= rem {
            payload.truncate(len - rem);
        }
        if len > max_frame {
            let len_buf = raw_len_bytes.unwrap_or((len as u32).to_le_bytes());
            let looks_like_tls = raw_len_bytes
                .map(|b| b[0] == 0x16 && b[1] == 0x03)
                .unwrap_or(false);
            let looks_like_http = raw_len_bytes
                .map(|b| matches!(b[0], b'G' | b'P' | b'H' | b'C' | b'D'))
                .unwrap_or(false);
            warn!(
                user = %user,
                raw_len = len,
                raw_len_hex = format_args!("0x{:08x}", len),
                raw_bytes = format_args!(
                    "{:02x} {:02x} {:02x} {:02x}",
                    len_buf[0], len_buf[1], len_buf[2], len_buf[3]
                ),
                proto = ?proto_tag,
                tls_like = looks_like_tls,
                http_like = looks_like_http,
                frames_ok = *frame_counter,
                "Frame too large — crypto desync forensics"
            );
            return Err(ProxyError::Proxy(format!(
                "Frame too large: {len} (max {max_frame}), frames_ok={}",
                *frame_counter
            )));
        }
        let secure_payload_len = if proto_tag == ProtoTag::Secure {
            match secure_payload_len_from_wire_len(len) {
                Some(payload_len) => payload_len,
                None => {
                    stats.increment_secure_padding_invalid();
                    return Err(ProxyError::Proxy(format!(
                        "Invalid secure frame length: {len}"
                    )));
                }
            }
        } else {
            len
        };
        let mut payload = vec![0u8; len];
        client_reader
            .read_exact(&mut payload)
            .await
            .map_err(ProxyError::Io)?;
        // Secure Intermediate: strip validated trailing padding bytes.
        if proto_tag == ProtoTag::Secure {
            payload.truncate(secure_payload_len);
        }
        *frame_counter += 1;
        return Ok(Some((payload, quickack)));
    }
    Ok(Some((payload, quickack)))
 }
 async fn write_client_payload<W>(
@@ -188,6 +373,7 @@ async fn write_client_payload<W>(
    flags: u32,
    data: &[u8],
    rng: &SecureRandom,
    frame_buf: &mut Vec<u8>,
 ) -> Result<()>
 where
    W: AsyncWrite + Unpin + Send + 'static,
@@ -209,8 +395,12 @@ where
                if quickack {
                    first |= 0x80;
                }
                frame_buf.clear();
                frame_buf.reserve(1 + data.len());
                frame_buf.push(first);
                frame_buf.extend_from_slice(data);
                client_writer
-                    .write_all(&[first])
+                    .write_all(&frame_buf)
                    .await
                    .map_err(ProxyError::Io)?;
            } else if len_words < (1 << 24) {
@@ -219,8 +409,12 @@ where
                    first |= 0x80;
                }
                let lw = (len_words as u32).to_le_bytes();
                frame_buf.clear();
                frame_buf.reserve(4 + data.len());
                frame_buf.extend_from_slice(&[first, lw[0], lw[1], lw[2]]);
                frame_buf.extend_from_slice(data);
                client_writer
-                    .write_all(&[first, lw[0], lw[1], lw[2]])
+                    .write_all(&frame_buf)
                    .await
                    .map_err(ProxyError::Io)?;
            } else {
@@ -229,47 +423,40 @@ where
                    data.len()
                )));
            }
            client_writer
                .write_all(data)
                .await
                .map_err(ProxyError::Io)?;
        }
        ProtoTag::Intermediate | ProtoTag::Secure => {
            let padding_len = if proto_tag == ProtoTag::Secure {
-                (rng.bytes(1)[0] % 4) as usize
+                if !is_valid_secure_payload_len(data.len()) {
                    return Err(ProxyError::Proxy(format!(
                        "Secure payload must be 4-byte aligned, got {}",
                        data.len()
                    )));
                }
                secure_padding_len(data.len(), rng)
            } else {
                0
            };
-            let mut len = (data.len() + padding_len) as u32;
+            let mut len_val = (data.len() + padding_len) as u32;
            if quickack {
-                len |= 0x8000_0000;
+                len_val |= 0x8000_0000;
            }
-            client_writer
+            let total = 4 + data.len() + padding_len;
-                .write_all(&len.to_le_bytes())
+            frame_buf.clear();
-                .await
+            frame_buf.reserve(total);
-                .map_err(ProxyError::Io)?;
+            frame_buf.extend_from_slice(&len_val.to_le_bytes());
-            client_writer
+            frame_buf.extend_from_slice(data);
                .write_all(data)
                .await
                .map_err(ProxyError::Io)?;
            if padding_len > 0 {
-                let pad = rng.bytes(padding_len);
+                let start = frame_buf.len();
-                client_writer
+                frame_buf.resize(start + padding_len, 0);
-                    .write_all(&pad)
+                rng.fill(&mut frame_buf[start..]);
                    .await
                    .map_err(ProxyError::Io)?;
            }
            client_writer
                .write_all(&frame_buf)
                .await
                .map_err(ProxyError::Io)?;
        }
    }
    // Avoid unconditional per-frame flush (throughput killer on large downloads).
    // Flush only when low-latency ack semantics are requested or when
    // CryptoWriter has buffered pending ciphertext that must be drained.
    if quickack || client_writer.has_pending() {
        client_writer.flush().await.map_err(ProxyError::Io)?;
    }
    Ok(())
 }
--- a/src/stats/mod.rs
+++ b/src/stats/mod.rs
@@ -21,8 +21,16 @@ pub struct Stats {
    handshake_timeouts: AtomicU64,
    me_keepalive_sent: AtomicU64,
    me_keepalive_failed: AtomicU64,
    me_keepalive_pong: AtomicU64,
    me_keepalive_timeout: AtomicU64,
    me_reconnect_attempts: AtomicU64,
    me_reconnect_success: AtomicU64,
    me_crc_mismatch: AtomicU64,
    me_seq_mismatch: AtomicU64,
    me_route_drop_no_conn: AtomicU64,
    me_route_drop_channel_closed: AtomicU64,
    me_route_drop_queue_full: AtomicU64,
    secure_padding_invalid: AtomicU64,
    user_stats: DashMap<String, UserStats>,
    start_time: parking_lot::RwLock<Option<Instant>>,
 }
@@ -49,14 +57,45 @@ impl Stats {
    pub fn increment_handshake_timeouts(&self) { self.handshake_timeouts.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_keepalive_sent(&self) { self.me_keepalive_sent.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_keepalive_failed(&self) { self.me_keepalive_failed.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_keepalive_pong(&self) { self.me_keepalive_pong.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_keepalive_timeout(&self) { self.me_keepalive_timeout.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_keepalive_timeout_by(&self, value: u64) {
        self.me_keepalive_timeout.fetch_add(value, Ordering::Relaxed);
    }
    pub fn increment_me_reconnect_attempt(&self) { self.me_reconnect_attempts.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_reconnect_success(&self) { self.me_reconnect_success.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_crc_mismatch(&self) { self.me_crc_mismatch.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_seq_mismatch(&self) { self.me_seq_mismatch.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_route_drop_no_conn(&self) { self.me_route_drop_no_conn.fetch_add(1, Ordering::Relaxed); }
    pub fn increment_me_route_drop_channel_closed(&self) {
        self.me_route_drop_channel_closed.fetch_add(1, Ordering::Relaxed);
    }
    pub fn increment_me_route_drop_queue_full(&self) {
        self.me_route_drop_queue_full.fetch_add(1, Ordering::Relaxed);
    }
    pub fn increment_secure_padding_invalid(&self) {
        self.secure_padding_invalid.fetch_add(1, Ordering::Relaxed);
    }
    pub fn get_connects_all(&self) -> u64 { self.connects_all.load(Ordering::Relaxed) }
    pub fn get_connects_bad(&self) -> u64 { self.connects_bad.load(Ordering::Relaxed) }
    pub fn get_me_keepalive_sent(&self) -> u64 { self.me_keepalive_sent.load(Ordering::Relaxed) }
    pub fn get_me_keepalive_failed(&self) -> u64 { self.me_keepalive_failed.load(Ordering::Relaxed) }
    pub fn get_me_keepalive_pong(&self) -> u64 { self.me_keepalive_pong.load(Ordering::Relaxed) }
    pub fn get_me_keepalive_timeout(&self) -> u64 { self.me_keepalive_timeout.load(Ordering::Relaxed) }
    pub fn get_me_reconnect_attempts(&self) -> u64 { self.me_reconnect_attempts.load(Ordering::Relaxed) }
    pub fn get_me_reconnect_success(&self) -> u64 { self.me_reconnect_success.load(Ordering::Relaxed) }
    pub fn get_me_crc_mismatch(&self) -> u64 { self.me_crc_mismatch.load(Ordering::Relaxed) }
    pub fn get_me_seq_mismatch(&self) -> u64 { self.me_seq_mismatch.load(Ordering::Relaxed) }
    pub fn get_me_route_drop_no_conn(&self) -> u64 { self.me_route_drop_no_conn.load(Ordering::Relaxed) }
    pub fn get_me_route_drop_channel_closed(&self) -> u64 {
        self.me_route_drop_channel_closed.load(Ordering::Relaxed)
    }
    pub fn get_me_route_drop_queue_full(&self) -> u64 {
        self.me_route_drop_queue_full.load(Ordering::Relaxed)
    }
    pub fn get_secure_padding_invalid(&self) -> u64 {
        self.secure_padding_invalid.load(Ordering::Relaxed)
    }
    pub fn increment_user_connects(&self, user: &str) {
        self.user_stats.entry(user.to_string()).or_default()
@@ -70,7 +109,22 @@ impl Stats {
    pub fn decrement_user_curr_connects(&self, user: &str) {
        if let Some(stats) = self.user_stats.get(user) {
-            stats.curr_connects.fetch_sub(1, Ordering::Relaxed);
+            let counter = &stats.curr_connects;
            let mut current = counter.load(Ordering::Relaxed);
            loop {
                if current == 0 {
                    break;
                }
                match counter.compare_exchange_weak(
                    current,
                    current - 1,
                    Ordering::Relaxed,
                    Ordering::Relaxed,
                ) {
                    Ok(_) => break,
                    Err(actual) => current = actual,
                }
            }
        }
    }
--- a/src/stream/crypto_stream.rs
+++ b/src/stream/crypto_stream.rs
@@ -34,7 +34,7 @@
 //! └────────────────────────────────────────┘
 //!
 //! Backpressure
-//! - pending ciphertext buffer is bounded (MAX_PENDING_WRITE)
+//! - pending ciphertext buffer is bounded (configurable per connection)
 //! - pending is full and upstream is pending 
 //!   -> poll_write returns Poll::Pending
 //!   -> do not accept any plaintext
@@ -62,10 +62,9 @@ use super::state::{StreamState, YieldBuffer};
 // ============= Constants =============
-/// Maximum size for pending ciphertext buffer (bounded backpressure).
+/// Default size for pending ciphertext buffer (bounded backpressure).
-/// Reduced to 64KB to prevent bufferbloat on mobile networks.
+/// Actual limit is supplied at runtime from configuration.
-/// 512KB was causing high latency on 3G/LTE connections.
+const DEFAULT_MAX_PENDING_WRITE: usize = 64 * 1024;
 const MAX_PENDING_WRITE: usize = 64 * 1024;
 /// Default read buffer capacity (reader mostly decrypts in-place into caller buffer).
 const DEFAULT_READ_CAPACITY: usize = 16 * 1024;
@@ -427,15 +426,22 @@ pub struct CryptoWriter<W> {
    encryptor: AesCtr,
    state: CryptoWriterState,
    scratch: BytesMut,
    max_pending_write: usize,
 }
 impl<W> CryptoWriter<W> {
-    pub fn new(upstream: W, encryptor: AesCtr) -> Self {
+    pub fn new(upstream: W, encryptor: AesCtr, max_pending_write: usize) -> Self {
        let max_pending = if max_pending_write == 0 {
            DEFAULT_MAX_PENDING_WRITE
        } else {
            max_pending_write
        };
        Self {
            upstream,
            encryptor,
            state: CryptoWriterState::Idle,
            scratch: BytesMut::with_capacity(16 * 1024),
            max_pending_write: max_pending.max(4 * 1024),
        }
    }
@@ -484,10 +490,10 @@ impl<W> CryptoWriter<W> {
    }
    /// Ensure we are in Flushing state and return mutable pending buffer.
-    fn ensure_pending<'a>(state: &'a mut CryptoWriterState) -> &'a mut PendingCiphertext {
+    fn ensure_pending<'a>(state: &'a mut CryptoWriterState, max_pending: usize) -> &'a mut PendingCiphertext {
        if matches!(state, CryptoWriterState::Idle) {
            *state = CryptoWriterState::Flushing {
-                pending: PendingCiphertext::new(MAX_PENDING_WRITE),
+                pending: PendingCiphertext::new(max_pending),
            };
        }
@@ -498,14 +504,14 @@ impl<W> CryptoWriter<W> {
    }
    /// Select how many plaintext bytes can be accepted in buffering path
-    fn select_to_accept_for_buffering(state: &CryptoWriterState, buf_len: usize) -> usize {
+    fn select_to_accept_for_buffering(state: &CryptoWriterState, buf_len: usize, max_pending: usize) -> usize {
        if buf_len == 0 {
            return 0;
        }
        match state {
            CryptoWriterState::Flushing { pending } => buf_len.min(pending.remaining_capacity()),
-            CryptoWriterState::Idle => buf_len.min(MAX_PENDING_WRITE),
+            CryptoWriterState::Idle => buf_len.min(max_pending),
            CryptoWriterState::Poisoned { .. } => 0,
        }
    }
@@ -603,7 +609,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for CryptoWriter<W> {
                Poll::Pending => {
                    // Upstream blocked. Apply ideal backpressure
                    let to_accept =
-                        Self::select_to_accept_for_buffering(&this.state, buf.len());
+                        Self::select_to_accept_for_buffering(&this.state, buf.len(), this.max_pending_write);
                    if to_accept == 0 {
                        trace!(
@@ -618,7 +624,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for CryptoWriter<W> {
                    // Disjoint borrows
                    let encryptor = &mut this.encryptor;
-                    let pending = Self::ensure_pending(&mut this.state);
+                    let pending = Self::ensure_pending(&mut this.state, this.max_pending_write);
                    if let Err(e) = pending.push_encrypted(encryptor, plaintext) {
                        if e.kind() == ErrorKind::WouldBlock {
@@ -635,7 +641,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for CryptoWriter<W> {
        // 2) Fast path: pending empty -> write-through
        debug_assert!(matches!(this.state, CryptoWriterState::Idle));
-        let to_accept = buf.len().min(MAX_PENDING_WRITE);
+        let to_accept = buf.len().min(this.max_pending_write);
        let plaintext = &buf[..to_accept];
        Self::encrypt_into_scratch(&mut this.encryptor, &mut this.scratch, plaintext);
@@ -645,7 +651,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for CryptoWriter<W> {
                // Upstream blocked: buffer FULL ciphertext for accepted bytes.
                let ciphertext = std::mem::take(&mut this.scratch);
-                let pending = Self::ensure_pending(&mut this.state);
+                let pending = Self::ensure_pending(&mut this.state, this.max_pending_write);
                pending.replace_with(ciphertext);
                Poll::Ready(Ok(to_accept))
@@ -672,7 +678,7 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for CryptoWriter<W> {
                let remainder = this.scratch.split_off(n);
                this.scratch.clear();
-                let pending = Self::ensure_pending(&mut this.state);
+                let pending = Self::ensure_pending(&mut this.state, this.max_pending_write);
                pending.replace_with(remainder);
                Poll::Ready(Ok(to_accept))
@@ -767,4 +773,4 @@ impl<S: AsyncWrite + Unpin> AsyncWrite for PassthroughStream<S> {
    fn poll_shutdown(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<()>> {
        Pin::new(&mut self.inner).poll_shutdown(cx)
    }
-}
+}
--- a/src/stream/frame_codec.rs
+++ b/src/stream/frame_codec.rs
@@ -8,7 +8,9 @@ use std::io::{self, Error, ErrorKind};
 use std::sync::Arc;
 use tokio_util::codec::{Decoder, Encoder};
-use crate::protocol::constants::ProtoTag;
+use crate::protocol::constants::{
    ProtoTag, is_valid_secure_payload_len, secure_padding_len, secure_payload_len_from_wire_len,
 };
 use crate::crypto::SecureRandom;
 use super::frame::{Frame, FrameMeta, FrameCodec as FrameCodecTrait};
@@ -274,13 +276,13 @@ fn decode_secure(src: &mut BytesMut, max_size: usize) -> io::Result<Option<Frame
        return Ok(None);
    }
-    // Calculate padding (indicated by length not divisible by 4)
+    let data_len = secure_payload_len_from_wire_len(len).ok_or_else(|| {
-    let padding_len = len % 4;
+        Error::new(
-    let data_len = if padding_len != 0 {
+            ErrorKind::InvalidData,
-        len - padding_len
+            format!("invalid secure frame length: {len}"),
-    } else {
+        )
-        len
+    })?;
-    };
+    let padding_len = len - data_len;
    meta.padding_len = padding_len as u8;
@@ -303,14 +305,15 @@ fn encode_secure(frame: &Frame, dst: &mut BytesMut, rng: &SecureRandom) -> io::R
        return Ok(());
    }
-    // Generate padding to make length not divisible by 4
+    if !is_valid_secure_payload_len(data.len()) {
-    let padding_len = if data.len() % 4 == 0 {
+        return Err(Error::new(
-        // Add 1-3 bytes to make it non-aligned
+            ErrorKind::InvalidData,
-        (rng.range(3) + 1) as usize
+            format!("secure payload must be 4-byte aligned, got {}", data.len()),
-    } else {
+        ));
-        // Already non-aligned, can add 0-3
+    }
-        rng.range(4) as usize
+
-    };
+    // Generate padding that keeps total length non-divisible by 4.
    let padding_len = secure_padding_len(data.len(), rng);
    let total_len = data.len() + padding_len;
    dst.reserve(4 + total_len);
@@ -625,4 +628,4 @@ mod tests {
        let result = codec.decode(&mut buf);
        assert!(result.is_err());
    }
-}
+}
--- a/src/stream/frame_stream.rs
+++ b/src/stream/frame_stream.rs
@@ -232,11 +232,13 @@ impl<R: AsyncRead + Unpin> SecureIntermediateFrameReader<R> {
        let mut data = vec![0u8; len];
        self.upstream.read_exact(&mut data).await?;
-        // Strip padding (not aligned to 4)
+        let payload_len = secure_payload_len_from_wire_len(len).ok_or_else(|| {
-        if len % 4 != 0 {
+            Error::new(
-            let actual_len = len - (len % 4);
+                ErrorKind::InvalidData,
-            data.truncate(actual_len);
+                format!("Invalid secure frame length: {len}"),
-        }
+            )
        })?;
        data.truncate(payload_len);
        Ok((Bytes::from(data), meta))
    }
@@ -267,8 +269,15 @@ impl<W: AsyncWrite + Unpin> SecureIntermediateFrameWriter<W> {
            return Ok(());
        }
-        // Add random padding (0-3 bytes)
+        if !is_valid_secure_payload_len(data.len()) {
-        let padding_len = self.rng.range(4);
+            return Err(Error::new(
                ErrorKind::InvalidData,
                format!("Secure payload must be 4-byte aligned, got {}", data.len()),
            ));
        }
        // Add padding so total length is never divisible by 4 (MTProto Secure)
        let padding_len = secure_padding_len(data.len(), &self.rng);
        let padding = self.rng.bytes(padding_len);
        let total_len = data.len() + padding_len;
@@ -550,9 +559,7 @@ mod tests {
        writer.flush().await.unwrap();
        let (received, _meta) = reader.read_frame().await.unwrap();
-        // Received should have padding stripped to align to 4
+        assert_eq!(received.len(), data.len());
        let expected_len = (data.len() / 4) * 4;
        assert_eq!(received.len(), expected_len);
    }
    #[tokio::test]
@@ -585,4 +592,4 @@ mod tests {
        let (received, _) = reader.read_frame().await.unwrap();
        assert_eq!(&received[..], &data[..]);
    }
-}
+}
--- a/src/stream/mod.rs
+++ b/src/stream/mod.rs
@@ -40,4 +40,4 @@ pub use frame_stream::{
    SecureIntermediateFrameReader, SecureIntermediateFrameWriter,
    MtprotoFrameReader, MtprotoFrameWriter,
    FrameReaderKind, FrameWriterKind,
-};
+};
--- a/src/stream/tls_stream.rs
+++ b/src/stream/tls_stream.rs
@@ -25,7 +25,8 @@
 //! - However, the on-the-wire record length can exceed 16384 because TLS 1.3
 //!   uses AEAD and can include tag/overhead/padding.
 //! - Telegram FakeTLS clients (notably iOS) may send Application Data records
-//!   with length up to 16384 + 24 bytes. We accept that as MAX_TLS_CHUNK_SIZE.
+//!   with length up to 16384 + 256 bytes (RFC 8446 §5.2). We accept that as
 //!   MAX_TLS_CHUNK_SIZE.
 //!
 //! If you reject those (e.g. validate length <= 16384), you will see errors like:
 //!   "TLS record too large: 16408 bytes"
@@ -52,9 +53,8 @@ use super::state::{StreamState, HeaderBuffer, YieldBuffer, WriteBuffer};
 const TLS_HEADER_SIZE: usize = 5;
 /// Maximum TLS fragment size we emit for Application Data.
-/// Real TLS 1.3 ciphertexts often add ~16-24 bytes AEAD overhead, so to mimic
+/// Real TLS 1.3 allows up to 16384 + 256 bytes of ciphertext (incl. tag).
-/// on-the-wire record sizes we allow up to 16384 + 24 bytes of plaintext.
+const MAX_TLS_PAYLOAD: usize = 16384 + 256;
 const MAX_TLS_PAYLOAD: usize = 16384 + 24;
 /// Maximum pending write buffer for one record remainder.
 /// Note: we never queue unlimited amount of data here; state holds at most one record.
@@ -91,7 +91,7 @@ impl TlsRecordHeader {
    /// - We accept TLS 1.0 header version for ClientHello-like records (0x03 0x01),
    ///   and TLS 1.2/1.3 style version bytes for the rest (we use TLS_VERSION = 0x03 0x03).
    /// - For Application Data, Telegram FakeTLS may send payload length up to
-    ///   MAX_TLS_CHUNK_SIZE (16384 + 24).
+    ///   MAX_TLS_CHUNK_SIZE (16384 + 256).
    /// - For other record types we keep stricter bounds to avoid memory abuse.
    fn validate(&self) -> Result<()> {
        // Version: accept TLS 1.0 header (ClientHello quirk) and TLS_VERSION (0x0303).
@@ -105,7 +105,7 @@ impl TlsRecordHeader {
        let len = self.length as usize;
        // Length checks depend on record type.
-        // Telegram FakeTLS: ApplicationData length may be 16384 + 24.
+        // Telegram FakeTLS: ApplicationData length may be 16384 + 256.
        match self.record_type {
            TLS_RECORD_APPLICATION => {
                if len > MAX_TLS_CHUNK_SIZE {
@@ -755,9 +755,6 @@ impl<W: AsyncWrite + Unpin> AsyncWrite for FakeTlsWriter<W> {
                    payload_size: chunk_size,
                };
                // Wake to retry flushing soon.
                cx.waker().wake_by_ref();
                Poll::Ready(Ok(chunk_size))
            }
        }
--- a/src/tls_front/cache.rs
+++ b/src/tls_front/cache.rs
@@ -0,0 +1,254 @@
 use std::collections::HashMap;
 use std::net::IpAddr;
 use std::path::{Path, PathBuf};
 use std::sync::Arc;
 use std::time::{Duration, Instant, SystemTime};
 use tokio::sync::RwLock;
 use tokio::time::sleep;
 use tracing::{debug, warn, info};
 use crate::tls_front::types::{CachedTlsData, ParsedServerHello, TlsFetchResult};
 /// Lightweight in-memory + optional on-disk cache for TLS fronting data.
 #[derive(Debug)]
 pub struct TlsFrontCache {
    memory: RwLock<HashMap<String, Arc<CachedTlsData>>>,
    default: Arc<CachedTlsData>,
    full_cert_sent: RwLock<HashMap<IpAddr, Instant>>,
    disk_path: PathBuf,
 }
 impl TlsFrontCache {
    pub fn new(domains: &[String], default_len: usize, disk_path: impl AsRef<Path>) -> Self {
        let default_template = ParsedServerHello {
            version: [0x03, 0x03],
            random: [0u8; 32],
            session_id: Vec::new(),
            cipher_suite: [0x13, 0x01],
            compression: 0,
            extensions: Vec::new(),
        };
        let default = Arc::new(CachedTlsData {
            server_hello_template: default_template,
            cert_info: None,
            cert_payload: None,
            app_data_records_sizes: vec![default_len],
            total_app_data_len: default_len,
            fetched_at: SystemTime::now(),
            domain: "default".to_string(),
        });
        let mut map = HashMap::new();
        for d in domains {
            map.insert(d.clone(), default.clone());
        }
        Self {
            memory: RwLock::new(map),
            default,
            full_cert_sent: RwLock::new(HashMap::new()),
            disk_path: disk_path.as_ref().to_path_buf(),
        }
    }
    pub async fn get(&self, sni: &str) -> Arc<CachedTlsData> {
        let guard = self.memory.read().await;
        guard.get(sni).cloned().unwrap_or_else(|| self.default.clone())
    }
    pub async fn contains_domain(&self, domain: &str) -> bool {
        self.memory.read().await.contains_key(domain)
    }
    /// Returns true when full cert payload should be sent for client_ip
    /// according to TTL policy.
    pub async fn take_full_cert_budget_for_ip(
        &self,
        client_ip: IpAddr,
        ttl: Duration,
    ) -> bool {
        if ttl.is_zero() {
            self.full_cert_sent
                .write()
                .await
                .insert(client_ip, Instant::now());
            return true;
        }
        let now = Instant::now();
        let mut guard = self.full_cert_sent.write().await;
        guard.retain(|_, seen_at| now.duration_since(*seen_at) < ttl);
        match guard.get_mut(&client_ip) {
            Some(seen_at) => {
                if now.duration_since(*seen_at) >= ttl {
                    *seen_at = now;
                    true
                } else {
                    false
                }
            }
            None => {
                guard.insert(client_ip, now);
                true
            }
        }
    }
    pub async fn set(&self, domain: &str, data: CachedTlsData) {
        let mut guard = self.memory.write().await;
        guard.insert(domain.to_string(), Arc::new(data));
    }
    pub async fn load_from_disk(&self) {
        let path = self.disk_path.clone();
        if tokio::fs::create_dir_all(&path).await.is_err() {
            return;
        }
        let mut loaded = 0usize;
        if let Ok(mut dir) = tokio::fs::read_dir(&path).await {
            while let Ok(Some(entry)) = dir.next_entry().await {
                if let Ok(name) = entry.file_name().into_string() {
                    if !name.ends_with(".json") {
                        continue;
                    }
                    if let Ok(data) = tokio::fs::read(entry.path()).await {
                        if let Ok(mut cached) = serde_json::from_slice::<CachedTlsData>(&data) {
                            if cached.domain.is_empty()
                                || cached.domain.len() > 255
                                || !cached.domain.chars().all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '-')
                            {
                                warn!(file = %name, "Skipping TLS cache entry with invalid domain");
                                continue;
                            }
                            // fetched_at is skipped during deserialization; approximate with file mtime if available.
                            if let Ok(meta) = entry.metadata().await {
                                if let Ok(modified) = meta.modified() {
                                    cached.fetched_at = modified;
                                }
                            }
                            // Drop entries older than 72h
                            if let Ok(age) = cached.fetched_at.elapsed() {
                                if age > Duration::from_secs(72 * 3600) {
                                    warn!(domain = %cached.domain, "Skipping stale TLS cache entry (>72h)");
                                    continue;
                                }
                            }
                            let domain = cached.domain.clone();
                            self.set(&domain, cached).await;
                            loaded += 1;
                        }
                    }
                }
            }
        }
        if loaded > 0 {
            info!(count = loaded, "Loaded TLS cache entries from disk");
        }
    }
    async fn persist(&self, domain: &str, data: &CachedTlsData) {
        if tokio::fs::create_dir_all(&self.disk_path).await.is_err() {
            return;
        }
        let fname = format!("{}.json", domain.replace(['/', '\\'], "_"));
        let path = self.disk_path.join(fname);
        if let Ok(json) = serde_json::to_vec_pretty(data) {
            // best-effort write
            let _ = tokio::fs::write(path, json).await;
        }
    }
    /// Spawn background updater that periodically refreshes cached domains using provided fetcher.
    pub fn spawn_updater<F>(
        self: Arc<Self>,
        domains: Vec<String>,
        interval: Duration,
        fetcher: F,
    ) where
        F: Fn(String) -> tokio::task::JoinHandle<()> + Send + Sync + 'static,
    {
        tokio::spawn(async move {
            loop {
                for domain in &domains {
                    fetcher(domain.clone()).await;
                }
                sleep(interval).await;
            }
        });
    }
    /// Replace cached entry from a fetch result.
    pub async fn update_from_fetch(&self, domain: &str, fetched: TlsFetchResult) {
        let data = CachedTlsData {
            server_hello_template: fetched.server_hello_parsed,
            cert_info: fetched.cert_info,
            cert_payload: fetched.cert_payload,
            app_data_records_sizes: fetched.app_data_records_sizes.clone(),
            total_app_data_len: fetched.total_app_data_len,
            fetched_at: SystemTime::now(),
            domain: domain.to_string(),
        };
        self.set(domain, data.clone()).await;
        self.persist(domain, &data).await;
        debug!(domain = %domain, len = fetched.total_app_data_len, "TLS cache updated");
    }
    pub fn default_entry(&self) -> Arc<CachedTlsData> {
        self.default.clone()
    }
    pub fn disk_path(&self) -> &Path {
        &self.disk_path
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[tokio::test]
    async fn test_take_full_cert_budget_for_ip_uses_ttl() {
        let cache = TlsFrontCache::new(
            &["example.com".to_string()],
            1024,
            "tlsfront-test-cache",
        );
        let ip: IpAddr = "127.0.0.1".parse().expect("ip");
        let ttl = Duration::from_millis(80);
        assert!(cache
            .take_full_cert_budget_for_ip(ip, ttl)
            .await);
        assert!(!cache
            .take_full_cert_budget_for_ip(ip, ttl)
            .await);
        tokio::time::sleep(Duration::from_millis(90)).await;
        assert!(cache
            .take_full_cert_budget_for_ip(ip, ttl)
            .await);
    }
    #[tokio::test]
    async fn test_take_full_cert_budget_for_ip_zero_ttl_always_allows_full_payload() {
        let cache = TlsFrontCache::new(
            &["example.com".to_string()],
            1024,
            "tlsfront-test-cache",
        );
        let ip: IpAddr = "127.0.0.1".parse().expect("ip");
        let ttl = Duration::ZERO;
        assert!(cache
            .take_full_cert_budget_for_ip(ip, ttl)
            .await);
        assert!(cache
            .take_full_cert_budget_for_ip(ip, ttl)
            .await);
    }
 }
--- a/src/tls_front/emulator.rs
+++ b/src/tls_front/emulator.rs
@@ -0,0 +1,390 @@
 use crate::crypto::{sha256_hmac, SecureRandom};
 use crate::protocol::constants::{
    TLS_RECORD_APPLICATION, TLS_RECORD_CHANGE_CIPHER, TLS_RECORD_HANDSHAKE, TLS_VERSION,
 };
 use crate::protocol::tls::{TLS_DIGEST_LEN, TLS_DIGEST_POS, gen_fake_x25519_key};
 use crate::tls_front::types::{CachedTlsData, ParsedCertificateInfo};
 const MIN_APP_DATA: usize = 64;
 const MAX_APP_DATA: usize = 16640; // RFC 8446 §5.2 allows up to 2^14 + 256
 fn jitter_and_clamp_sizes(sizes: &[usize], rng: &SecureRandom) -> Vec<usize> {
    sizes
        .iter()
        .map(|&size| {
            let base = size.max(MIN_APP_DATA).min(MAX_APP_DATA);
            let jitter_range = ((base as f64) * 0.03).round() as i64;
            if jitter_range == 0 {
                return base;
            }
            let mut rand_bytes = [0u8; 2];
            rand_bytes.copy_from_slice(&rng.bytes(2));
            let span = 2 * jitter_range + 1;
            let delta = (u16::from_le_bytes(rand_bytes) as i64 % span) - jitter_range;
            let adjusted = (base as i64 + delta).clamp(MIN_APP_DATA as i64, MAX_APP_DATA as i64);
            adjusted as usize
        })
        .collect()
 }
 fn app_data_body_capacity(sizes: &[usize]) -> usize {
    sizes.iter().map(|&size| size.saturating_sub(17)).sum()
 }
 fn ensure_payload_capacity(mut sizes: Vec<usize>, payload_len: usize) -> Vec<usize> {
    if payload_len == 0 {
        return sizes;
    }
    let mut body_total = app_data_body_capacity(&sizes);
    if body_total >= payload_len {
        return sizes;
    }
    if let Some(last) = sizes.last_mut() {
        let free = MAX_APP_DATA.saturating_sub(*last);
        let grow = free.min(payload_len - body_total);
        *last += grow;
        body_total += grow;
    }
    while body_total < payload_len {
        let remaining = payload_len - body_total;
        let chunk = (remaining + 17).min(MAX_APP_DATA).max(MIN_APP_DATA);
        sizes.push(chunk);
        body_total += chunk.saturating_sub(17);
    }
    sizes
 }
 fn build_compact_cert_info_payload(cert_info: &ParsedCertificateInfo) -> Option<Vec<u8>> {
    let mut fields = Vec::new();
    if let Some(subject) = cert_info.subject_cn.as_deref() {
        fields.push(format!("CN={subject}"));
    }
    if let Some(issuer) = cert_info.issuer_cn.as_deref() {
        fields.push(format!("ISSUER={issuer}"));
    }
    if let Some(not_before) = cert_info.not_before_unix {
        fields.push(format!("NB={not_before}"));
    }
    if let Some(not_after) = cert_info.not_after_unix {
        fields.push(format!("NA={not_after}"));
    }
    if !cert_info.san_names.is_empty() {
        let san = cert_info
            .san_names
            .iter()
            .take(8)
            .map(String::as_str)
            .collect::<Vec<_>>()
            .join(",");
        fields.push(format!("SAN={san}"));
    }
    if fields.is_empty() {
        return None;
    }
    let mut payload = fields.join(";").into_bytes();
    if payload.len() > 512 {
        payload.truncate(512);
    }
    Some(payload)
 }
 /// Build a ServerHello + CCS + ApplicationData sequence using cached TLS metadata.
 pub fn build_emulated_server_hello(
    secret: &[u8],
    client_digest: &[u8; TLS_DIGEST_LEN],
    session_id: &[u8],
    cached: &CachedTlsData,
    use_full_cert_payload: bool,
    rng: &SecureRandom,
    alpn: Option<Vec<u8>>,
    new_session_tickets: u8,
 ) -> Vec<u8> {
    // --- ServerHello ---
    let mut extensions = Vec::new();
    // KeyShare (x25519)
    let key = gen_fake_x25519_key(rng);
    extensions.extend_from_slice(&0x0033u16.to_be_bytes()); // key_share
    extensions.extend_from_slice(&(2 + 2 + 32u16).to_be_bytes()); // len
    extensions.extend_from_slice(&0x001du16.to_be_bytes()); // X25519
    extensions.extend_from_slice(&(32u16).to_be_bytes());
    extensions.extend_from_slice(&key);
    // supported_versions (TLS1.3)
    extensions.extend_from_slice(&0x002bu16.to_be_bytes());
    extensions.extend_from_slice(&(2u16).to_be_bytes());
    extensions.extend_from_slice(&0x0304u16.to_be_bytes());
    if let Some(alpn_proto) = &alpn {
        extensions.extend_from_slice(&0x0010u16.to_be_bytes());
        let list_len: u16 = 1 + alpn_proto.len() as u16;
        let ext_len: u16 = 2 + list_len;
        extensions.extend_from_slice(&ext_len.to_be_bytes());
        extensions.extend_from_slice(&list_len.to_be_bytes());
        extensions.push(alpn_proto.len() as u8);
        extensions.extend_from_slice(alpn_proto);
    }
    let extensions_len = extensions.len() as u16;
    let body_len = 2 + // version
        32 + // random
        1 + session_id.len() + // session id
        2 + // cipher
        1 + // compression
        2 + extensions.len(); // extensions
    let mut message = Vec::with_capacity(4 + body_len);
    message.push(0x02); // ServerHello
    let len_bytes = (body_len as u32).to_be_bytes();
    message.extend_from_slice(&len_bytes[1..4]);
    message.extend_from_slice(&cached.server_hello_template.version); // 0x0303
    message.extend_from_slice(&[0u8; 32]); // random placeholder
    message.push(session_id.len() as u8);
    message.extend_from_slice(session_id);
    let cipher = if cached.server_hello_template.cipher_suite == [0, 0] {
        [0x13, 0x01]
    } else {
        cached.server_hello_template.cipher_suite
    };
    message.extend_from_slice(&cipher);
    message.push(cached.server_hello_template.compression);
    message.extend_from_slice(&extensions_len.to_be_bytes());
    message.extend_from_slice(&extensions);
    let mut server_hello = Vec::with_capacity(5 + message.len());
    server_hello.push(TLS_RECORD_HANDSHAKE);
    server_hello.extend_from_slice(&TLS_VERSION);
    server_hello.extend_from_slice(&(message.len() as u16).to_be_bytes());
    server_hello.extend_from_slice(&message);
    // --- ChangeCipherSpec ---
    let change_cipher_spec = [
        TLS_RECORD_CHANGE_CIPHER,
        TLS_VERSION[0],
        TLS_VERSION[1],
        0x00,
        0x01,
        0x01,
    ];
    // --- ApplicationData (fake encrypted records) ---
    // Use the same number and sizes of ApplicationData records as the cached server.
    let mut sizes = cached.app_data_records_sizes.clone();
    if sizes.is_empty() {
        sizes.push(cached.total_app_data_len.max(1024));
    }
    let mut sizes = jitter_and_clamp_sizes(&sizes, rng);
    let compact_payload = cached
        .cert_info
        .as_ref()
        .and_then(build_compact_cert_info_payload);
    let selected_payload: Option<&[u8]> = if use_full_cert_payload {
        cached
            .cert_payload
            .as_ref()
            .map(|payload| payload.certificate_message.as_slice())
            .filter(|payload| !payload.is_empty())
            .or_else(|| compact_payload.as_deref())
    } else {
        compact_payload.as_deref()
    };
    if let Some(payload) = selected_payload {
        sizes = ensure_payload_capacity(sizes, payload.len());
    }
    let mut app_data = Vec::new();
    let mut payload_offset = 0usize;
    for size in sizes {
        let mut rec = Vec::with_capacity(5 + size);
        rec.push(TLS_RECORD_APPLICATION);
        rec.extend_from_slice(&TLS_VERSION);
        rec.extend_from_slice(&(size as u16).to_be_bytes());
        if let Some(payload) = selected_payload {
            if size > 17 {
                let body_len = size - 17;
                let remaining = payload.len().saturating_sub(payload_offset);
                let copy_len = remaining.min(body_len);
                if copy_len > 0 {
                    rec.extend_from_slice(&payload[payload_offset..payload_offset + copy_len]);
                    payload_offset += copy_len;
                }
                if body_len > copy_len {
                    rec.extend_from_slice(&rng.bytes(body_len - copy_len));
                }
                rec.push(0x16); // inner content type marker (handshake)
                rec.extend_from_slice(&rng.bytes(16)); // AEAD-like tag
            } else {
                rec.extend_from_slice(&rng.bytes(size));
            }
        } else {
            if size > 17 {
                let body_len = size - 17;
                rec.extend_from_slice(&rng.bytes(body_len));
                rec.push(0x16); // inner content type marker (handshake)
                rec.extend_from_slice(&rng.bytes(16)); // AEAD-like tag
            } else {
                rec.extend_from_slice(&rng.bytes(size));
            }
        }
        app_data.extend_from_slice(&rec);
    }
    // --- Combine ---
    // Optional NewSessionTicket mimic records (opaque ApplicationData for fingerprint).
    let mut tickets = Vec::new();
    if new_session_tickets > 0 {
        for _ in 0..new_session_tickets {
            let ticket_len: usize = rng.range(48) + 48;
            let mut rec = Vec::with_capacity(5 + ticket_len);
            rec.push(TLS_RECORD_APPLICATION);
            rec.extend_from_slice(&TLS_VERSION);
            rec.extend_from_slice(&(ticket_len as u16).to_be_bytes());
            rec.extend_from_slice(&rng.bytes(ticket_len));
            tickets.extend_from_slice(&rec);
        }
    }
    let mut response = Vec::with_capacity(server_hello.len() + change_cipher_spec.len() + app_data.len() + tickets.len());
    response.extend_from_slice(&server_hello);
    response.extend_from_slice(&change_cipher_spec);
    response.extend_from_slice(&app_data);
    response.extend_from_slice(&tickets);
    // --- HMAC ---
    let mut hmac_input = Vec::with_capacity(TLS_DIGEST_LEN + response.len());
    hmac_input.extend_from_slice(client_digest);
    hmac_input.extend_from_slice(&response);
    let digest = sha256_hmac(secret, &hmac_input);
    response[TLS_DIGEST_POS..TLS_DIGEST_POS + TLS_DIGEST_LEN].copy_from_slice(&digest);
    response
 }
 #[cfg(test)]
 mod tests {
    use std::time::SystemTime;
    use crate::tls_front::types::{CachedTlsData, ParsedServerHello, TlsCertPayload};
    use super::build_emulated_server_hello;
    use crate::crypto::SecureRandom;
    use crate::protocol::constants::{
        TLS_RECORD_APPLICATION, TLS_RECORD_CHANGE_CIPHER, TLS_RECORD_HANDSHAKE,
    };
    fn first_app_data_payload(response: &[u8]) -> &[u8] {
        let hello_len = u16::from_be_bytes([response[3], response[4]]) as usize;
        let ccs_start = 5 + hello_len;
        let ccs_len = u16::from_be_bytes([response[ccs_start + 3], response[ccs_start + 4]]) as usize;
        let app_start = ccs_start + 5 + ccs_len;
        let app_len = u16::from_be_bytes([response[app_start + 3], response[app_start + 4]]) as usize;
        &response[app_start + 5..app_start + 5 + app_len]
    }
    fn make_cached(cert_payload: Option<TlsCertPayload>) -> CachedTlsData {
        CachedTlsData {
            server_hello_template: ParsedServerHello {
                version: [0x03, 0x03],
                random: [0u8; 32],
                session_id: Vec::new(),
                cipher_suite: [0x13, 0x01],
                compression: 0,
                extensions: Vec::new(),
            },
            cert_info: None,
            cert_payload,
            app_data_records_sizes: vec![64],
            total_app_data_len: 64,
            fetched_at: SystemTime::now(),
            domain: "example.com".to_string(),
        }
    }
    #[test]
    fn test_build_emulated_server_hello_uses_cached_cert_payload() {
        let cert_msg = vec![0x0b, 0x00, 0x00, 0x05, 0x00, 0xaa, 0xbb, 0xcc, 0xdd];
        let cached = make_cached(Some(TlsCertPayload {
            cert_chain_der: vec![vec![0x30, 0x01, 0x00]],
            certificate_message: cert_msg.clone(),
        }));
        let rng = SecureRandom::new();
        let response = build_emulated_server_hello(
            b"secret",
            &[0x11; 32],
            &[0x22; 16],
            &cached,
            true,
            &rng,
            None,
            0,
        );
        assert_eq!(response[0], TLS_RECORD_HANDSHAKE);
        let hello_len = u16::from_be_bytes([response[3], response[4]]) as usize;
        let ccs_start = 5 + hello_len;
        assert_eq!(response[ccs_start], TLS_RECORD_CHANGE_CIPHER);
        let app_start = ccs_start + 6;
        assert_eq!(response[app_start], TLS_RECORD_APPLICATION);
        let payload = first_app_data_payload(&response);
        assert!(payload.starts_with(&cert_msg));
    }
    #[test]
    fn test_build_emulated_server_hello_random_fallback_when_no_cert_payload() {
        let cached = make_cached(None);
        let rng = SecureRandom::new();
        let response = build_emulated_server_hello(
            b"secret",
            &[0x22; 32],
            &[0x33; 16],
            &cached,
            true,
            &rng,
            None,
            0,
        );
        let payload = first_app_data_payload(&response);
        assert!(payload.len() >= 64);
        assert_eq!(payload[payload.len() - 17], 0x16);
    }
    #[test]
    fn test_build_emulated_server_hello_uses_compact_payload_after_first() {
        let cert_msg = vec![0x0b, 0x00, 0x00, 0x05, 0x00, 0xaa, 0xbb, 0xcc, 0xdd];
        let mut cached = make_cached(Some(TlsCertPayload {
            cert_chain_der: vec![vec![0x30, 0x01, 0x00]],
            certificate_message: cert_msg,
        }));
        cached.cert_info = Some(crate::tls_front::types::ParsedCertificateInfo {
            not_after_unix: Some(1_900_000_000),
            not_before_unix: Some(1_700_000_000),
            issuer_cn: Some("Issuer".to_string()),
            subject_cn: Some("example.com".to_string()),
            san_names: vec!["example.com".to_string(), "www.example.com".to_string()],
        });
        let rng = SecureRandom::new();
        let response = build_emulated_server_hello(
            b"secret",
            &[0x44; 32],
            &[0x55; 16],
            &cached,
            false,
            &rng,
            None,
            0,
        );
        let payload = first_app_data_payload(&response);
        assert!(payload.starts_with(b"CN=example.com"));
    }
 }
--- a/src/tls_front/fetcher.rs
+++ b/src/tls_front/fetcher.rs
@@ -0,0 +1,591 @@
 use std::sync::Arc;
 use std::time::Duration;
 use anyhow::{Result, anyhow};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::TcpStream;
 use tokio::time::timeout;
 use tokio_rustls::client::TlsStream;
 use tokio_rustls::TlsConnector;
 use tracing::{debug, warn};
 use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
 use rustls::client::ClientConfig;
 use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
 use rustls::{DigitallySignedStruct, Error as RustlsError};
 use x509_parser::prelude::FromDer;
 use x509_parser::certificate::X509Certificate;
 use crate::crypto::SecureRandom;
 use crate::protocol::constants::{TLS_RECORD_APPLICATION, TLS_RECORD_HANDSHAKE};
 use crate::tls_front::types::{
    ParsedCertificateInfo,
    ParsedServerHello,
    TlsCertPayload,
    TlsExtension,
    TlsFetchResult,
 };
 /// No-op verifier: accept any certificate (we only need lengths and metadata).
 #[derive(Debug)]
 struct NoVerify;
 impl ServerCertVerifier for NoVerify {
    fn verify_server_cert(
        &self,
        _end_entity: &CertificateDer<'_>,
        _intermediates: &[CertificateDer<'_>],
        _server_name: &ServerName<'_>,
        _ocsp: &[u8],
        _now: UnixTime,
    ) -> Result<ServerCertVerified, RustlsError> {
        Ok(ServerCertVerified::assertion())
    }
    fn verify_tls12_signature(
        &self,
        _message: &[u8],
        _cert: &CertificateDer<'_>,
        _dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, RustlsError> {
        Ok(HandshakeSignatureValid::assertion())
    }
    fn verify_tls13_signature(
        &self,
        _message: &[u8],
        _cert: &CertificateDer<'_>,
        _dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, RustlsError> {
        Ok(HandshakeSignatureValid::assertion())
    }
    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
        use rustls::SignatureScheme::*;
        vec![
            RSA_PKCS1_SHA256,
            RSA_PSS_SHA256,
            ECDSA_NISTP256_SHA256,
            ECDSA_NISTP384_SHA384,
        ]
    }
 }
 fn build_client_config() -> Arc<ClientConfig> {
    let root = rustls::RootCertStore::empty();
    let provider = rustls::crypto::ring::default_provider();
    let mut config = ClientConfig::builder_with_provider(Arc::new(provider))
        .with_protocol_versions(&[&rustls::version::TLS13, &rustls::version::TLS12])
        .expect("protocol versions")
        .with_root_certificates(root)
        .with_no_client_auth();
    config
        .dangerous()
        .set_certificate_verifier(Arc::new(NoVerify));
    Arc::new(config)
 }
 fn build_client_hello(sni: &str, rng: &SecureRandom) -> Vec<u8> {
    // === ClientHello body ===
    let mut body = Vec::new();
    // Legacy version (TLS 1.0) as in real ClientHello headers
    body.extend_from_slice(&[0x03, 0x03]);
    // Random
    body.extend_from_slice(&rng.bytes(32));
    // Session ID: empty
    body.push(0);
    // Cipher suites (common minimal set, TLS1.3 + a few 1.2 fallbacks)
    let cipher_suites: [u8; 10] = [
        0x13, 0x01, // TLS_AES_128_GCM_SHA256
        0x13, 0x02, // TLS_AES_256_GCM_SHA384
        0x13, 0x03, // TLS_CHACHA20_POLY1305_SHA256
        0x00, 0x2f, // TLS_RSA_WITH_AES_128_CBC_SHA (legacy)
        0x00, 0xff, // RENEGOTIATION_INFO_SCSV
    ];
    body.extend_from_slice(&(cipher_suites.len() as u16).to_be_bytes());
    body.extend_from_slice(&cipher_suites);
    // Compression methods: null only
    body.push(1);
    body.push(0);
    // === Extensions ===
    let mut exts = Vec::new();
    // server_name (SNI)
    let sni_bytes = sni.as_bytes();
    let mut sni_ext = Vec::with_capacity(5 + sni_bytes.len());
    sni_ext.extend_from_slice(&(sni_bytes.len() as u16 + 3).to_be_bytes());
    sni_ext.push(0); // host_name
    sni_ext.extend_from_slice(&(sni_bytes.len() as u16).to_be_bytes());
    sni_ext.extend_from_slice(sni_bytes);
    exts.extend_from_slice(&0x0000u16.to_be_bytes());
    exts.extend_from_slice(&(sni_ext.len() as u16).to_be_bytes());
    exts.extend_from_slice(&sni_ext);
    // supported_groups
    let groups: [u16; 2] = [0x001d, 0x0017]; // x25519, secp256r1
    exts.extend_from_slice(&0x000au16.to_be_bytes());
    exts.extend_from_slice(&((2 + groups.len() * 2) as u16).to_be_bytes());
    exts.extend_from_slice(&(groups.len() as u16 * 2).to_be_bytes());
    for g in groups { exts.extend_from_slice(&g.to_be_bytes()); }
    // signature_algorithms
    let sig_algs: [u16; 4] = [0x0804, 0x0805, 0x0403, 0x0503]; // rsa_pss_rsae_sha256/384, ecdsa_secp256r1_sha256, rsa_pkcs1_sha256
    exts.extend_from_slice(&0x000du16.to_be_bytes());
    exts.extend_from_slice(&((2 + sig_algs.len() * 2) as u16).to_be_bytes());
    exts.extend_from_slice(&(sig_algs.len() as u16 * 2).to_be_bytes());
    for a in sig_algs { exts.extend_from_slice(&a.to_be_bytes()); }
    // supported_versions (TLS1.3 + TLS1.2)
    let versions: [u16; 2] = [0x0304, 0x0303];
    exts.extend_from_slice(&0x002bu16.to_be_bytes());
    exts.extend_from_slice(&((1 + versions.len() * 2) as u16).to_be_bytes());
    exts.push((versions.len() * 2) as u8);
    for v in versions { exts.extend_from_slice(&v.to_be_bytes()); }
    // key_share (x25519)
    let key = gen_key_share(rng);
    let mut keyshare = Vec::with_capacity(4 + key.len());
    keyshare.extend_from_slice(&0x001du16.to_be_bytes()); // group
    keyshare.extend_from_slice(&(key.len() as u16).to_be_bytes());
    keyshare.extend_from_slice(&key);
    exts.extend_from_slice(&0x0033u16.to_be_bytes());
    exts.extend_from_slice(&((2 + keyshare.len()) as u16).to_be_bytes());
    exts.extend_from_slice(&(keyshare.len() as u16).to_be_bytes());
    exts.extend_from_slice(&keyshare);
    // ALPN (http/1.1)
    let alpn_proto = b"http/1.1";
    exts.extend_from_slice(&0x0010u16.to_be_bytes());
    exts.extend_from_slice(&((2 + 1 + alpn_proto.len()) as u16).to_be_bytes());
    exts.extend_from_slice(&((1 + alpn_proto.len()) as u16).to_be_bytes());
    exts.push(alpn_proto.len() as u8);
    exts.extend_from_slice(alpn_proto);
    // padding to reduce recognizability and keep length ~500 bytes
    const TARGET_EXT_LEN: usize = 180;
    if exts.len() < TARGET_EXT_LEN {
        let remaining = TARGET_EXT_LEN - exts.len();
        if remaining > 4 {
            let pad_len = remaining - 4; // minus type+len
            exts.extend_from_slice(&0x0015u16.to_be_bytes()); // padding extension
            exts.extend_from_slice(&(pad_len as u16).to_be_bytes());
            exts.resize(exts.len() + pad_len, 0);
        }
    }
    // Extensions length prefix
    body.extend_from_slice(&(exts.len() as u16).to_be_bytes());
    body.extend_from_slice(&exts);
    // === Handshake wrapper ===
    let mut handshake = Vec::new();
    handshake.push(0x01); // ClientHello
    let len_bytes = (body.len() as u32).to_be_bytes();
    handshake.extend_from_slice(&len_bytes[1..4]);
    handshake.extend_from_slice(&body);
    // === Record ===
    let mut record = Vec::new();
    record.push(TLS_RECORD_HANDSHAKE);
    record.extend_from_slice(&[0x03, 0x01]); // legacy record version
    record.extend_from_slice(&(handshake.len() as u16).to_be_bytes());
    record.extend_from_slice(&handshake);
    record
 }
 fn gen_key_share(rng: &SecureRandom) -> [u8; 32] {
    let mut key = [0u8; 32];
    key.copy_from_slice(&rng.bytes(32));
    key
 }
 async fn read_tls_record(stream: &mut TcpStream) -> Result<(u8, Vec<u8>)> {
    let mut header = [0u8; 5];
    stream.read_exact(&mut header).await?;
    let len = u16::from_be_bytes([header[3], header[4]]) as usize;
    let mut body = vec![0u8; len];
    stream.read_exact(&mut body).await?;
    Ok((header[0], body))
 }
 fn parse_server_hello(body: &[u8]) -> Option<ParsedServerHello> {
    if body.len() < 4 || body[0] != 0x02 {
        return None;
    }
    let msg_len = u32::from_be_bytes([0, body[1], body[2], body[3]]) as usize;
    if msg_len + 4 > body.len() {
        return None;
    }
    let mut pos = 4;
    let version = [*body.get(pos)?, *body.get(pos + 1)?];
    pos += 2;
    let mut random = [0u8; 32];
    random.copy_from_slice(body.get(pos..pos + 32)?);
    pos += 32;
    let session_len = *body.get(pos)? as usize;
    pos += 1;
    let session_id = body.get(pos..pos + session_len)?.to_vec();
    pos += session_len;
    let cipher_suite = [*body.get(pos)?, *body.get(pos + 1)?];
    pos += 2;
    let compression = *body.get(pos)?;
    pos += 1;
    let ext_len = u16::from_be_bytes([*body.get(pos)?, *body.get(pos + 1)?]) as usize;
    pos += 2;
    let ext_end = pos.checked_add(ext_len)?;
    if ext_end > body.len() {
        return None;
    }
    let mut extensions = Vec::new();
    while pos + 4 <= ext_end {
        let etype = u16::from_be_bytes([body[pos], body[pos + 1]]);
        let elen = u16::from_be_bytes([body[pos + 2], body[pos + 3]]) as usize;
        pos += 4;
        let data = body.get(pos..pos + elen)?.to_vec();
        pos += elen;
        extensions.push(TlsExtension { ext_type: etype, data });
    }
    Some(ParsedServerHello {
        version,
        random,
        session_id,
        cipher_suite,
        compression,
        extensions,
    })
 }
 fn parse_cert_info(certs: &[CertificateDer<'static>]) -> Option<ParsedCertificateInfo> {
    let first = certs.first()?;
    let (_rem, cert) = X509Certificate::from_der(first.as_ref()).ok()?;
    let not_before = Some(cert.validity().not_before.to_datetime().unix_timestamp());
    let not_after = Some(cert.validity().not_after.to_datetime().unix_timestamp());
    let issuer_cn = cert
        .issuer()
        .iter_common_name()
        .next()
        .and_then(|cn| cn.as_str().ok())
        .map(|s| s.to_string());
    let subject_cn = cert
        .subject()
        .iter_common_name()
        .next()
        .and_then(|cn| cn.as_str().ok())
        .map(|s| s.to_string());
    let san_names = cert
        .subject_alternative_name()
        .ok()
        .flatten()
        .map(|san| {
            san.value
                .general_names
                .iter()
                .filter_map(|gn| match gn {
                    x509_parser::extensions::GeneralName::DNSName(n) => Some(n.to_string()),
                    _ => None,
                })
                .collect::<Vec<_>>()
        })
        .unwrap_or_default();
    Some(ParsedCertificateInfo {
        not_after_unix: not_after,
        not_before_unix: not_before,
        issuer_cn,
        subject_cn,
        san_names,
    })
 }
 fn u24_bytes(value: usize) -> Option<[u8; 3]> {
    if value > 0x00ff_ffff {
        return None;
    }
    Some([
        ((value >> 16) & 0xff) as u8,
        ((value >> 8) & 0xff) as u8,
        (value & 0xff) as u8,
    ])
 }
 fn encode_tls13_certificate_message(cert_chain_der: &[Vec<u8>]) -> Option<Vec<u8>> {
    if cert_chain_der.is_empty() {
        return None;
    }
    let mut certificate_list = Vec::new();
    for cert in cert_chain_der {
        if cert.is_empty() {
            return None;
        }
        certificate_list.extend_from_slice(&u24_bytes(cert.len())?);
        certificate_list.extend_from_slice(cert);
        certificate_list.extend_from_slice(&0u16.to_be_bytes()); // cert_entry extensions
    }
    // Certificate = context_len(1) + certificate_list_len(3) + entries
    let body_len = 1usize
        .checked_add(3)?
        .checked_add(certificate_list.len())?;
    let mut message = Vec::with_capacity(4 + body_len);
    message.push(0x0b); // HandshakeType::certificate
    message.extend_from_slice(&u24_bytes(body_len)?);
    message.push(0x00); // certificate_request_context length
    message.extend_from_slice(&u24_bytes(certificate_list.len())?);
    message.extend_from_slice(&certificate_list);
    Some(message)
 }
 async fn fetch_via_raw_tls(
    host: &str,
    port: u16,
    sni: &str,
    connect_timeout: Duration,
 ) -> Result<TlsFetchResult> {
    let addr = format!("{host}:{port}");
    let mut stream = timeout(connect_timeout, TcpStream::connect(addr)).await??;
    let rng = SecureRandom::new();
    let client_hello = build_client_hello(sni, &rng);
    timeout(connect_timeout, async {
        stream.write_all(&client_hello).await?;
        stream.flush().await?;
        Ok::<(), std::io::Error>(())
    })
    .await??;
    let mut records = Vec::new();
    // Read up to 4 records: ServerHello, CCS, and up to two ApplicationData.
    for _ in 0..4 {
        match timeout(connect_timeout, read_tls_record(&mut stream)).await {
            Ok(Ok(rec)) => records.push(rec),
            Ok(Err(e)) => return Err(e.into()),
            Err(_) => break,
        }
        if records.len() >= 3 && records.iter().any(|(t, _)| *t == TLS_RECORD_APPLICATION) {
            break;
        }
    }
    let mut app_sizes = Vec::new();
    let mut server_hello = None;
    for (t, body) in &records {
        if *t == TLS_RECORD_HANDSHAKE && server_hello.is_none() {
            server_hello = parse_server_hello(body);
        } else if *t == TLS_RECORD_APPLICATION {
            app_sizes.push(body.len());
        }
    }
    let parsed = server_hello.ok_or_else(|| anyhow!("ServerHello not received"))?;
    let total_app_data_len = app_sizes.iter().sum::<usize>().max(1024);
    Ok(TlsFetchResult {
        server_hello_parsed: parsed,
        app_data_records_sizes: if app_sizes.is_empty() {
            vec![total_app_data_len]
        } else {
            app_sizes
        },
        total_app_data_len,
        cert_info: None,
        cert_payload: None,
    })
 }
 async fn fetch_via_rustls(
    host: &str,
    port: u16,
    sni: &str,
    connect_timeout: Duration,
    upstream: Option<std::sync::Arc<crate::transport::UpstreamManager>>,
 ) -> Result<TlsFetchResult> {
    // rustls handshake path for certificate and basic negotiated metadata.
    let stream = if let Some(manager) = upstream {
        // Resolve host to SocketAddr
        if let Ok(mut addrs) = tokio::net::lookup_host((host, port)).await {
            if let Some(addr) = addrs.find(|a| a.is_ipv4()) {
                match manager.connect(addr, None, None).await {
                    Ok(s) => s,
                    Err(e) => {
                        warn!(sni = %sni, error = %e, "Upstream connect failed, using direct connect");
                        timeout(connect_timeout, TcpStream::connect((host, port))).await??
                    }
                }
            } else {
                timeout(connect_timeout, TcpStream::connect((host, port))).await??
            }
        } else {
            timeout(connect_timeout, TcpStream::connect((host, port))).await??
        }
    } else {
        timeout(connect_timeout, TcpStream::connect((host, port))).await??
    };
    let config = build_client_config();
    let connector = TlsConnector::from(config);
    let server_name = ServerName::try_from(sni.to_owned())
        .or_else(|_| ServerName::try_from(host.to_owned()))
        .map_err(|_| RustlsError::General("invalid SNI".into()))?;
    let tls_stream: TlsStream<TcpStream> = connector.connect(server_name, stream).await?;
    // Extract negotiated parameters and certificates
    let (_io, session) = tls_stream.get_ref();
    let cipher_suite = session
        .negotiated_cipher_suite()
        .map(|s| u16::from(s.suite()).to_be_bytes())
        .unwrap_or([0x13, 0x01]);
    let certs: Vec<CertificateDer<'static>> = session
        .peer_certificates()
        .map(|slice| slice.to_vec())
        .unwrap_or_default();
    let cert_chain_der: Vec<Vec<u8>> = certs.iter().map(|c| c.as_ref().to_vec()).collect();
    let cert_payload = encode_tls13_certificate_message(&cert_chain_der).map(|certificate_message| {
        TlsCertPayload {
            cert_chain_der: cert_chain_der.clone(),
            certificate_message,
        }
    });
    let total_cert_len = cert_payload
        .as_ref()
        .map(|payload| payload.certificate_message.len())
        .unwrap_or_else(|| cert_chain_der.iter().map(Vec::len).sum::<usize>())
        .max(1024);
    let cert_info = parse_cert_info(&certs);
    // Heuristic: split across two records if large to mimic real servers a bit.
    let app_data_records_sizes = if total_cert_len > 3000 {
        vec![total_cert_len / 2, total_cert_len - total_cert_len / 2]
    } else {
        vec![total_cert_len]
    };
    let parsed = ParsedServerHello {
        version: [0x03, 0x03],
        random: [0u8; 32],
        session_id: Vec::new(),
        cipher_suite,
        compression: 0,
        extensions: Vec::new(),
    };
    debug!(
        sni = %sni,
        len = total_cert_len,
        cipher = format!("0x{:04x}", u16::from_be_bytes(cipher_suite)),
        has_cert_payload = cert_payload.is_some(),
        "Fetched TLS metadata via rustls"
    );
    Ok(TlsFetchResult {
        server_hello_parsed: parsed,
        app_data_records_sizes: app_data_records_sizes.clone(),
        total_app_data_len: app_data_records_sizes.iter().sum(),
        cert_info,
        cert_payload,
    })
 }
 /// Fetch real TLS metadata for the given SNI.
 ///
 /// Strategy:
 /// 1) Probe raw TLS for realistic ServerHello and ApplicationData record sizes.
 /// 2) Fetch certificate chain via rustls to build cert payload.
 /// 3) Merge both when possible; otherwise auto-fallback to whichever succeeded.
 pub async fn fetch_real_tls(
    host: &str,
    port: u16,
    sni: &str,
    connect_timeout: Duration,
    upstream: Option<std::sync::Arc<crate::transport::UpstreamManager>>,
 ) -> Result<TlsFetchResult> {
    let raw_result = match fetch_via_raw_tls(host, port, sni, connect_timeout).await {
        Ok(res) => Some(res),
        Err(e) => {
            warn!(sni = %sni, error = %e, "Raw TLS fetch failed");
            None
        }
    };
    match fetch_via_rustls(host, port, sni, connect_timeout, upstream).await {
        Ok(rustls_result) => {
            if let Some(mut raw) = raw_result {
                raw.cert_info = rustls_result.cert_info;
                raw.cert_payload = rustls_result.cert_payload;
                debug!(sni = %sni, "Fetched TLS metadata via raw probe + rustls cert chain");
                Ok(raw)
            } else {
                Ok(rustls_result)
            }
        }
        Err(e) => {
            if let Some(raw) = raw_result {
                warn!(sni = %sni, error = %e, "Rustls cert fetch failed, using raw TLS metadata only");
                Ok(raw)
            } else {
                Err(e)
            }
        }
    }
 }
 #[cfg(test)]
 mod tests {
    use super::encode_tls13_certificate_message;
    fn read_u24(bytes: &[u8]) -> usize {
        ((bytes[0] as usize) << 16) | ((bytes[1] as usize) << 8) | (bytes[2] as usize)
    }
    #[test]
    fn test_encode_tls13_certificate_message_single_cert() {
        let cert = vec![0x30, 0x03, 0x02, 0x01, 0x01];
        let message = encode_tls13_certificate_message(&[cert.clone()]).expect("message");
        assert_eq!(message[0], 0x0b);
        assert_eq!(read_u24(&message[1..4]), message.len() - 4);
        assert_eq!(message[4], 0x00);
        let cert_list_len = read_u24(&message[5..8]);
        assert_eq!(cert_list_len, cert.len() + 5);
        let cert_len = read_u24(&message[8..11]);
        assert_eq!(cert_len, cert.len());
        assert_eq!(&message[11..11 + cert.len()], cert.as_slice());
        assert_eq!(&message[11 + cert.len()..13 + cert.len()], &[0x00, 0x00]);
    }
    #[test]
    fn test_encode_tls13_certificate_message_empty_chain() {
        assert!(encode_tls13_certificate_message(&[]).is_none());
    }
 }
--- a/src/tls_front/mod.rs
+++ b/src/tls_front/mod.rs
@@ -0,0 +1,7 @@
 pub mod types;
 pub mod cache;
 pub mod fetcher;
 pub mod emulator;
 pub use cache::TlsFrontCache;
 pub use types::{CachedTlsData, TlsFetchResult};
--- a/src/tls_front/types.rs
+++ b/src/tls_front/types.rs
@@ -0,0 +1,68 @@
 use std::time::SystemTime;
 use serde::{Serialize, Deserialize};
 /// Parsed representation of an unencrypted TLS ServerHello.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ParsedServerHello {
    pub version: [u8; 2],
    pub random: [u8; 32],
    pub session_id: Vec<u8>,
    pub cipher_suite: [u8; 2],
    pub compression: u8,
    pub extensions: Vec<TlsExtension>,
 }
 /// Generic TLS extension container.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TlsExtension {
    pub ext_type: u16,
    pub data: Vec<u8>,
 }
 /// Basic certificate metadata (optional, informative).
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct ParsedCertificateInfo {
    pub not_after_unix: Option<i64>,
    pub not_before_unix: Option<i64>,
    pub issuer_cn: Option<String>,
    pub subject_cn: Option<String>,
    pub san_names: Vec<String>,
 }
 /// TLS certificate payload captured from profiled upstream.
 ///
 /// `certificate_message` stores an encoded TLS 1.3 Certificate handshake
 /// message body that can be replayed as opaque ApplicationData bytes in FakeTLS.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TlsCertPayload {
    pub cert_chain_der: Vec<Vec<u8>>,
    pub certificate_message: Vec<u8>,
 }
 /// Cached data per SNI used by the emulator.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct CachedTlsData {
    pub server_hello_template: ParsedServerHello,
    pub cert_info: Option<ParsedCertificateInfo>,
    #[serde(default)]
    pub cert_payload: Option<TlsCertPayload>,
    pub app_data_records_sizes: Vec<usize>,
    pub total_app_data_len: usize,
    #[serde(default = "now_system_time", skip_serializing, skip_deserializing)]
    pub fetched_at: SystemTime,
    pub domain: String,
 }
 fn now_system_time() -> SystemTime {
    SystemTime::now()
 }
 /// Result of attempting to fetch real TLS artifacts.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct TlsFetchResult {
    pub server_hello_parsed: ParsedServerHello,
    pub app_data_records_sizes: Vec<usize>,
    pub total_app_data_len: usize,
    pub cert_info: Option<ParsedCertificateInfo>,
    pub cert_payload: Option<TlsCertPayload>,
 }
--- a/src/transport/middle_proxy/codec.rs
+++ b/src/transport/middle_proxy/codec.rs
@@ -1,6 +1,6 @@
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
-use crate::crypto::{AesCbc, crc32};
+use crate::crypto::{AesCbc, crc32, crc32c};
 use crate::error::{ProxyError, Result};
 use crate::protocol::constants::*;
@@ -8,17 +8,46 @@ use crate::protocol::constants::*;
 pub(crate) enum WriterCommand {
    Data(Vec<u8>),
    DataAndFlush(Vec<u8>),
    Keepalive,
    Close,
 }
-pub(crate) fn build_rpc_frame(seq_no: i32, payload: &[u8]) -> Vec<u8> {
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub(crate) enum RpcChecksumMode {
    Crc32,
    Crc32c,
 }
 impl RpcChecksumMode {
    pub(crate) fn from_handshake_flags(flags: u32) -> Self {
        if (flags & rpc_crypto_flags::USE_CRC32C) != 0 {
            Self::Crc32c
        } else {
            Self::Crc32
        }
    }
    pub(crate) fn advertised_flags(self) -> u32 {
        match self {
            Self::Crc32 => 0,
            Self::Crc32c => rpc_crypto_flags::USE_CRC32C,
        }
    }
 }
 pub(crate) fn rpc_crc(mode: RpcChecksumMode, data: &[u8]) -> u32 {
    match mode {
        RpcChecksumMode::Crc32 => crc32(data),
        RpcChecksumMode::Crc32c => crc32c(data),
    }
 }
 pub(crate) fn build_rpc_frame(seq_no: i32, payload: &[u8], crc_mode: RpcChecksumMode) -> Vec<u8> {
    let total_len = (4 + 4 + payload.len() + 4) as u32;
    let mut frame = Vec::with_capacity(total_len as usize);
    frame.extend_from_slice(&total_len.to_le_bytes());
    frame.extend_from_slice(&seq_no.to_le_bytes());
    frame.extend_from_slice(payload);
-    let c = crc32(&frame);
+    let c = rpc_crc(crc_mode, &frame);
    frame.extend_from_slice(&c.to_le_bytes());
    frame
 }
@@ -45,7 +74,7 @@ pub(crate) async fn read_rpc_frame_plaintext(
    let crc_offset = total_len - 4;
    let expected_crc = u32::from_le_bytes(full[crc_offset..crc_offset + 4].try_into().unwrap());
-    let actual_crc = crc32(&full[..crc_offset]);
+    let actual_crc = rpc_crc(RpcChecksumMode::Crc32, &full[..crc_offset]);
    if expected_crc != actual_crc {
        return Err(ProxyError::InvalidHandshake(format!(
            "CRC mismatch: 0x{expected_crc:08x} vs 0x{actual_crc:08x}"
@@ -95,24 +124,52 @@ pub(crate) fn build_handshake_payload(
    our_port: u16,
    peer_ip: [u8; 4],
    peer_port: u16,
    flags: u32,
 ) -> [u8; 32] {
    let mut p = [0u8; 32];
    p[0..4].copy_from_slice(&RPC_HANDSHAKE_U32.to_le_bytes());
    p[4..8].copy_from_slice(&flags.to_le_bytes());
-    // Keep C memory layout compatibility for PID IPv4 bytes.
+    // process_id sender_pid
    p[8..12].copy_from_slice(&our_ip);
    p[12..14].copy_from_slice(&our_port.to_le_bytes());
-    let pid = (std::process::id() & 0xffff) as u16;
+    p[14..16].copy_from_slice(&process_pid16().to_le_bytes());
-    p[14..16].copy_from_slice(&pid.to_le_bytes());
+    p[16..20].copy_from_slice(&process_utime().to_le_bytes());
    // process_id peer_pid
    p[20..24].copy_from_slice(&peer_ip);
    p[24..26].copy_from_slice(&peer_port.to_le_bytes());
    p[26..28].copy_from_slice(&0u16.to_le_bytes());
    p[28..32].copy_from_slice(&0u32.to_le_bytes());
    p
 }
 pub(crate) fn parse_handshake_flags(payload: &[u8]) -> Result<u32> {
    if payload.len() != 32 {
        return Err(ProxyError::InvalidHandshake(format!(
            "Bad handshake payload len: {}",
            payload.len()
        )));
    }
    let hs_type = u32::from_le_bytes(payload[0..4].try_into().unwrap());
    if hs_type != RPC_HANDSHAKE_U32 {
        return Err(ProxyError::InvalidHandshake(format!(
            "Expected HANDSHAKE 0x{RPC_HANDSHAKE_U32:08x}, got 0x{hs_type:08x}"
        )));
    }
    Ok(u32::from_le_bytes(payload[4..8].try_into().unwrap()))
 }
 fn process_pid16() -> u16 {
    (std::process::id() & 0xffff) as u16
 }
 fn process_utime() -> u32 {
    let utime = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default()
        .as_secs() as u32;
-    p[16..20].copy_from_slice(&utime.to_le_bytes());
+    utime
    p[20..24].copy_from_slice(&peer_ip);
    p[24..26].copy_from_slice(&peer_port.to_le_bytes());
    p
 }
 pub(crate) fn cbc_encrypt_padded(
@@ -160,12 +217,13 @@ pub(crate) struct RpcWriter {
    pub(crate) key: [u8; 32],
    pub(crate) iv: [u8; 16],
    pub(crate) seq_no: i32,
    pub(crate) crc_mode: RpcChecksumMode,
 }
 impl RpcWriter {
    pub(crate) async fn send(&mut self, payload: &[u8]) -> Result<()> {
-        let frame = build_rpc_frame(self.seq_no, payload);
+        let frame = build_rpc_frame(self.seq_no, payload, self.crc_mode);
-        self.seq_no += 1;
+        self.seq_no = self.seq_no.wrapping_add(1);
        let pad = (16 - (frame.len() % 16)) % 16;
        let mut buf = frame;
@@ -189,12 +247,4 @@ impl RpcWriter {
        self.send(payload).await?;
        self.writer.flush().await.map_err(ProxyError::Io)
    }
    pub(crate) async fn send_keepalive(&mut self, payload: [u8; 4]) -> Result<()> {
        // Keepalive is a frame with fl == 4 and 4 bytes payload.
        let mut frame = Vec::with_capacity(8);
        frame.extend_from_slice(&4u32.to_le_bytes());
        frame.extend_from_slice(&payload);
        self.send(&frame).await
    }
 }
--- a/src/transport/middle_proxy/handshake.rs
+++ b/src/transport/middle_proxy/handshake.rs
@@ -18,13 +18,14 @@ use crate::crypto::{SecureRandom, build_middleproxy_prekey, derive_middleproxy_k
 use crate::error::{ProxyError, Result};
 use crate::network::IpFamily;
 use crate::protocol::constants::{
-    ME_CONNECT_TIMEOUT_SECS, ME_HANDSHAKE_TIMEOUT_SECS, RPC_CRYPTO_AES_U32, RPC_HANDSHAKE_ERROR_U32,
+    ME_CONNECT_TIMEOUT_SECS, ME_HANDSHAKE_TIMEOUT_SECS, RPC_CRYPTO_AES_U32,
-    RPC_HANDSHAKE_U32, RPC_PING_U32, RPC_PONG_U32, RPC_NONCE_U32,
+    RPC_HANDSHAKE_ERROR_U32, rpc_crypto_flags,
 };
 use super::codec::{
-    build_handshake_payload, build_nonce_payload, build_rpc_frame, cbc_decrypt_inplace,
+    RpcChecksumMode, build_handshake_payload, build_nonce_payload, build_rpc_frame,
-    cbc_encrypt_padded, parse_nonce_payload, read_rpc_frame_plaintext,
+    cbc_decrypt_inplace, cbc_encrypt_padded, parse_handshake_flags, parse_nonce_payload,
    read_rpc_frame_plaintext, rpc_crc,
 };
 use super::wire::{extract_ip_material, IpMaterial};
 use super::MePool;
@@ -37,6 +38,7 @@ pub(crate) struct HandshakeOutput {
    pub read_iv: [u8; 16],
    pub write_key: [u8; 32],
    pub write_iv: [u8; 16],
    pub crc_mode: RpcChecksumMode,
    pub handshake_ms: f64,
 }
@@ -146,7 +148,7 @@ impl MePool {
        let ks = self.key_selector().await;
        let nonce_payload = build_nonce_payload(ks, crypto_ts, &my_nonce);
-        let nonce_frame = build_rpc_frame(-2, &nonce_payload);
+        let nonce_frame = build_rpc_frame(-2, &nonce_payload, RpcChecksumMode::Crc32);
        let dump = hex_dump(&nonce_frame[..nonce_frame.len().min(44)]);
        debug!(
            key_selector = format_args!("0x{ks:08x}"),
@@ -284,8 +286,15 @@ impl MePool {
            srv_v6_opt.as_ref(),
        );
-        let hs_payload = build_handshake_payload(hs_our_ip, local_addr.port(), hs_peer_ip, peer_addr.port());
+        let requested_crc_mode = RpcChecksumMode::Crc32c;
-        let hs_frame = build_rpc_frame(-1, &hs_payload);
+        let hs_payload = build_handshake_payload(
            hs_our_ip,
            local_addr.port(),
            hs_peer_ip,
            peer_addr.port(),
            requested_crc_mode.advertised_flags(),
        );
        let hs_frame = build_rpc_frame(-1, &hs_payload, RpcChecksumMode::Crc32);
        if diag_level >= 1 {
            info!(
                write_key = %hex_dump(&wk),
@@ -314,7 +323,7 @@ impl MePool {
            );
        }
-        let (encrypted_hs, mut write_iv) = cbc_encrypt_padded(&wk, &wi, &hs_frame)?;
+        let (encrypted_hs, write_iv) = cbc_encrypt_padded(&wk, &wi, &hs_frame)?;
        if diag_level >= 1 {
            info!(
                hs_cipher = %hex_dump(&encrypted_hs),
@@ -328,6 +337,7 @@ impl MePool {
        let mut enc_buf = BytesMut::with_capacity(256);
        let mut dec_buf = BytesMut::with_capacity(256);
        let mut read_iv = ri;
        let mut negotiated_crc_mode = RpcChecksumMode::Crc32;
        let mut handshake_ok = false;
        while Instant::now() < deadline && !handshake_ok {
@@ -375,17 +385,23 @@ impl MePool {
                let frame = dec_buf.split_to(fl);
                let pe = fl - 4;
                let ec = u32::from_le_bytes(frame[pe..pe + 4].try_into().unwrap());
-                let ac = crate::crypto::crc32(&frame[..pe]);
+                let ac = rpc_crc(RpcChecksumMode::Crc32, &frame[..pe]);
                if ec != ac {
                    return Err(ProxyError::InvalidHandshake(format!(
                        "HS CRC mismatch: 0x{ec:08x} vs 0x{ac:08x}"
                    )));
                }
-                let hs_type = u32::from_le_bytes(frame[8..12].try_into().unwrap());
+                let hs_payload = &frame[8..pe];
                if hs_payload.len() < 4 {
                    return Err(ProxyError::InvalidHandshake(
                        "Handshake payload too short".to_string(),
                    ));
                }
                let hs_type = u32::from_le_bytes(hs_payload[0..4].try_into().unwrap());
                if hs_type == RPC_HANDSHAKE_ERROR_U32 {
-                    let err_code = if frame.len() >= 16 {
+                    let err_code = if hs_payload.len() >= 8 {
-                        i32::from_le_bytes(frame[12..16].try_into().unwrap())
+                        i32::from_le_bytes(hs_payload[4..8].try_into().unwrap())
                    } else {
                        -1
                    };
@@ -393,11 +409,21 @@ impl MePool {
                        "ME rejected handshake (error={err_code})"
                    )));
                }
-                if hs_type != RPC_HANDSHAKE_U32 {
+                let hs_flags = parse_handshake_flags(hs_payload)?;
                if hs_flags & 0xff != 0 {
                    return Err(ProxyError::InvalidHandshake(format!(
-                        "Expected HANDSHAKE 0x{RPC_HANDSHAKE_U32:08x}, got 0x{hs_type:08x}"
+                        "Unsupported handshake flags: 0x{hs_flags:08x}"
                    )));
                }
                negotiated_crc_mode = if (hs_flags & requested_crc_mode.advertised_flags()) != 0 {
                    RpcChecksumMode::from_handshake_flags(hs_flags)
                } else if (hs_flags & rpc_crypto_flags::USE_CRC32C) != 0 {
                    return Err(ProxyError::InvalidHandshake(format!(
                        "Peer negotiated unsupported CRC flags: 0x{hs_flags:08x}"
                    )));
                } else {
                    RpcChecksumMode::Crc32
                };
                handshake_ok = true;
                break;
@@ -418,6 +444,7 @@ impl MePool {
            read_iv,
            write_key: wk,
            write_iv,
            crc_mode: negotiated_crc_mode,
            handshake_ms,
        })
    }
--- a/src/transport/middle_proxy/pool.rs
+++ b/src/transport/middle_proxy/pool.rs
@@ -17,13 +17,11 @@ use crate::network::IpFamily;
 use crate::protocol::constants::*;
 use super::ConnRegistry;
-use super::registry::{BoundConn, ConnMeta};
+use super::registry::BoundConn;
 use super::codec::{RpcWriter, WriterCommand};
 use super::reader::reader_loop;
 use super::MeResponse;
 const ME_ACTIVE_PING_SECS: u64 = 25;
 const ME_ACTIVE_PING_JITTER_SECS: i64 = 5;
 const ME_KEEPALIVE_PAYLOAD_LEN: usize = 4;
 #[derive(Clone)]
 pub struct MeWriter {
@@ -361,7 +359,6 @@ impl MePool {
        // Additional connections up to pool_size total (round-robin across DCs), staggered to de-phase lifecycles.
        if self.me_warmup_stagger_enabled {
            let mut delay_ms = 0u64;
            for (dc, addrs) in dc_addrs.iter() {
                for (ip, port) in addrs {
                    if self.connection_count() >= pool_size {
@@ -369,7 +366,7 @@ impl MePool {
                    }
                    let addr = SocketAddr::new(*ip, *port);
                    let jitter = rand::rng().random_range(0..=self.me_warmup_step_jitter.as_millis() as u64);
-                    delay_ms = delay_ms.saturating_add(self.me_warmup_step_delay.as_millis() as u64 + jitter);
+                    let delay_ms = self.me_warmup_step_delay.as_millis() as u64 + jitter;
                    tokio::time::sleep(Duration::from_millis(delay_ms)).await;
                    if let Err(e) = self.connect_one(addr, rng.as_ref()).await {
                        debug!(%addr, dc = %dc, error = %e, "Extra ME connect failed (staggered)");
@@ -418,14 +415,12 @@ impl MePool {
        let degraded = Arc::new(AtomicBool::new(false));
        let draining = Arc::new(AtomicBool::new(false));
        let (tx, mut rx) = mpsc::channel::<WriterCommand>(4096);
        let tx_for_keepalive = tx.clone();
        let keepalive_random = self.me_keepalive_payload_random;
        let stats = self.stats.clone();
        let mut rpc_writer = RpcWriter {
            writer: hs.wr,
            key: hs.write_key,
            iv: hs.write_iv,
            seq_no: 0,
            crc_mode: hs.crc_mode,
        };
        let cancel_wr = cancel.clone();
        tokio::spawn(async move {
@@ -439,21 +434,6 @@ impl MePool {
                            Some(WriterCommand::DataAndFlush(payload)) => {
                                if rpc_writer.send_and_flush(&payload).await.is_err() { break; }
                            }
                            Some(WriterCommand::Keepalive) => {
                                let mut payload = [0u8; ME_KEEPALIVE_PAYLOAD_LEN];
                                if keepalive_random {
                                    rand::rng().fill(&mut payload);
                                }
                                match rpc_writer.send_keepalive(payload).await {
                                    Ok(()) => {
                                        stats.increment_me_keepalive_sent();
                                    }
                                    Err(_) => {
                                        stats.increment_me_keepalive_failed();
                                        break;
                                    }
                                }
                            }
                            Some(WriterCommand::Close) | None => break,
                        }
                    }
@@ -471,12 +451,15 @@ impl MePool {
        };
        self.writers.write().await.push(writer.clone());
        self.conn_count.fetch_add(1, Ordering::Relaxed);
-        self.writer_available.notify_waiters();
+        self.writer_available.notify_one();
        let reg = self.registry.clone();
        let writers_arc = self.writers_arc();
        let ping_tracker = self.ping_tracker.clone();
        let ping_tracker_reader = ping_tracker.clone();
        let rtt_stats = self.rtt_stats.clone();
        let stats_reader = self.stats.clone();
        let stats_ping = self.stats.clone();
        let pool = Arc::downgrade(self);
        let cancel_ping = cancel.clone();
        let tx_ping = tx.clone();
@@ -489,19 +472,20 @@ impl MePool {
        let keepalive_jitter = self.me_keepalive_jitter;
        let cancel_reader_token = cancel.clone();
        let cancel_ping_token = cancel_ping.clone();
        let cancel_keepalive_token = cancel.clone();
        tokio::spawn(async move {
            let res = reader_loop(
                hs.rd,
                hs.read_key,
                hs.read_iv,
                hs.crc_mode,
                reg.clone(),
                BytesMut::new(),
                BytesMut::new(),
                tx.clone(),
-                ping_tracker.clone(),
+                ping_tracker_reader,
                rtt_stats.clone(),
                stats_reader,
                writer_id,
                degraded.clone(),
                cancel_reader_token.clone(),
@@ -526,15 +510,40 @@ impl MePool {
        let pool_ping = Arc::downgrade(self);
        tokio::spawn(async move {
            let mut ping_id: i64 = rand::random::<i64>();
-            loop {
+            // Per-writer jittered start to avoid phase sync.
            let startup_jitter = if keepalive_enabled {
                let jitter_cap_ms = keepalive_interval.as_millis() / 2;
                let effective_jitter_ms = keepalive_jitter.as_millis().min(jitter_cap_ms).max(1);
                Duration::from_millis(rand::rng().random_range(0..=effective_jitter_ms as u64))
            } else {
                let jitter = rand::rng()
                    .random_range(-ME_ACTIVE_PING_JITTER_SECS..=ME_ACTIVE_PING_JITTER_SECS);
                let wait = (ME_ACTIVE_PING_SECS as i64 + jitter).max(5) as u64;
                Duration::from_secs(wait)
            };
            tokio::select! {
                _ = cancel_ping_token.cancelled() => return,
                _ = tokio::time::sleep(startup_jitter) => {}
            }
            loop {
                let wait = if keepalive_enabled {
                    let jitter_cap_ms = keepalive_interval.as_millis() / 2;
                    let effective_jitter_ms = keepalive_jitter.as_millis().min(jitter_cap_ms).max(1);
                    keepalive_interval
                        + Duration::from_millis(
                            rand::rng().random_range(0..=effective_jitter_ms as u64)
                        )
                } else {
                    let jitter = rand::rng()
                        .random_range(-ME_ACTIVE_PING_JITTER_SECS..=ME_ACTIVE_PING_JITTER_SECS);
                    let secs = (ME_ACTIVE_PING_SECS as i64 + jitter).max(5) as u64;
                    Duration::from_secs(secs)
                };
                tokio::select! {
                    _ = cancel_ping_token.cancelled() => {
                        break;
                    }
-                    _ = tokio::time::sleep(Duration::from_secs(wait)) => {}
+                    _ = tokio::time::sleep(wait) => {}
                }
                let sent_id = ping_id;
                let mut p = Vec::with_capacity(12);
@@ -542,12 +551,19 @@ impl MePool {
                p.extend_from_slice(&sent_id.to_le_bytes());
                {
                    let mut tracker = ping_tracker_ping.lock().await;
                    let before = tracker.len();
                    tracker.retain(|_, (ts, _)| ts.elapsed() < Duration::from_secs(120));
                    let expired = before.saturating_sub(tracker.len());
                    if expired > 0 {
                        stats_ping.increment_me_keepalive_timeout_by(expired as u64);
                    }
                    tracker.insert(sent_id, (std::time::Instant::now(), writer_id));
                }
                ping_id = ping_id.wrapping_add(1);
                stats_ping.increment_me_keepalive_sent();
                if tx_ping.send(WriterCommand::DataAndFlush(p)).await.is_err() {
-                    debug!("Active ME ping failed, removing dead writer");
+                    stats_ping.increment_me_keepalive_failed();
                    debug!("ME ping failed, removing dead writer");
                    cancel_ping.cancel();
                    if let Some(pool) = pool_ping.upgrade() {
                        if cleanup_for_ping
@@ -562,25 +578,6 @@ impl MePool {
            }
        });
        if keepalive_enabled {
            let tx_keepalive = tx_for_keepalive;
            let cancel_keepalive = cancel_keepalive_token;
            tokio::spawn(async move {
                // Per-writer jittered start to avoid phase sync.
                let initial_jitter_ms = rand::rng().random_range(0..=keepalive_jitter.as_millis().max(1) as u64);
                tokio::time::sleep(Duration::from_millis(initial_jitter_ms)).await;
                loop {
                    tokio::select! {
                        _ = cancel_keepalive.cancelled() => break,
                        _ = tokio::time::sleep(keepalive_interval + Duration::from_millis(rand::rng().random_range(0..=keepalive_jitter.as_millis() as u64))) => {}
                    }
                    if tx_keepalive.send(WriterCommand::Keepalive).await.is_err() {
                        break;
                    }
                }
            });
        }
        Ok(())
    }
@@ -617,15 +614,19 @@ impl MePool {
    }
    async fn remove_writer_only(&self, writer_id: u64) -> Vec<BoundConn> {
        let mut close_tx: Option<mpsc::Sender<WriterCommand>> = None;
        {
            let mut ws = self.writers.write().await;
            if let Some(pos) = ws.iter().position(|w| w.id == writer_id) {
                let w = ws.remove(pos);
                w.cancel.cancel();
-                let _ = w.tx.send(WriterCommand::Close).await;
+                close_tx = Some(w.tx.clone());
                self.conn_count.fetch_sub(1, Ordering::Relaxed);
            }
        }
        if let Some(tx) = close_tx {
            let _ = tx.send(WriterCommand::Close).await;
        }
        self.rtt_stats.lock().await.remove(&writer_id);
        self.registry.writer_lost(writer_id).await
    }
--- a/src/transport/middle_proxy/reader.rs
+++ b/src/transport/middle_proxy/reader.rs
@@ -10,31 +10,33 @@ use tokio::sync::{Mutex, mpsc};
 use tokio_util::sync::CancellationToken;
 use tracing::{debug, trace, warn};
-use crate::crypto::{AesCbc, crc32};
+use crate::crypto::AesCbc;
 use crate::error::{ProxyError, Result};
 use crate::protocol::constants::*;
 use crate::stats::Stats;
-use super::codec::WriterCommand;
+use super::codec::{RpcChecksumMode, WriterCommand, rpc_crc};
 use super::registry::RouteResult;
 use super::{ConnRegistry, MeResponse};
 pub(crate) async fn reader_loop(
    mut rd: tokio::io::ReadHalf<TcpStream>,
    dk: [u8; 32],
    mut div: [u8; 16],
    crc_mode: RpcChecksumMode,
    reg: Arc<ConnRegistry>,
    enc_leftover: BytesMut,
    mut dec: BytesMut,
    tx: mpsc::Sender<WriterCommand>,
    ping_tracker: Arc<Mutex<HashMap<i64, (Instant, u64)>>>,
    rtt_stats: Arc<Mutex<HashMap<u64, (f64, f64)>>>,
    stats: Arc<Stats>,
    _writer_id: u64,
    degraded: Arc<AtomicBool>,
    cancel: CancellationToken,
 ) -> Result<()> {
    let mut raw = enc_leftover;
    let mut expected_seq: i32 = 0;
    let mut crc_errors = 0u32;
    let mut seq_mismatch = 0u32;
    loop {
        let mut tmp = [0u8; 16_384];
@@ -80,26 +82,28 @@ pub(crate) async fn reader_loop(
            let frame = dec.split_to(fl);
            let pe = fl - 4;
            let ec = u32::from_le_bytes(frame[pe..pe + 4].try_into().unwrap());
-            if crc32(&frame[..pe]) != ec {
+            let actual_crc = rpc_crc(crc_mode, &frame[..pe]);
-                warn!("CRC mismatch in data frame");
+            if actual_crc != ec {
-                crc_errors += 1;
+                stats.increment_me_crc_mismatch();
-                if crc_errors > 3 {
+                warn!(
-                    return Err(ProxyError::Proxy("Too many CRC mismatches".into()));
+                    frame_len = fl,
-                }
+                    expected_crc = format_args!("0x{ec:08x}"),
-                continue;
+                    actual_crc = format_args!("0x{actual_crc:08x}"),
                    "CRC mismatch — CBC crypto desync, aborting ME connection"
                );
                return Err(ProxyError::Proxy("CRC mismatch (crypto desync)".into()));
            }
            let seq_no = i32::from_le_bytes(frame[4..8].try_into().unwrap());
            if seq_no != expected_seq {
                stats.increment_me_seq_mismatch();
                warn!(seq_no, expected = expected_seq, "ME RPC seq mismatch");
-                seq_mismatch += 1;
+                return Err(ProxyError::SeqNoMismatch {
-                if seq_mismatch > 10 {
+                    expected: expected_seq,
-                    return Err(ProxyError::Proxy("Too many seq mismatches".into()));
+                    got: seq_no,
-                }
+                });
                expected_seq = seq_no.wrapping_add(1);
            } else {
                expected_seq = expected_seq.wrapping_add(1);
            }
            expected_seq = expected_seq.wrapping_add(1);
            let payload = &frame[8..pe];
            if payload.len() < 4 {
@@ -116,7 +120,13 @@ pub(crate) async fn reader_loop(
                trace!(cid, flags, len = data.len(), "RPC_PROXY_ANS");
                let routed = reg.route(cid, MeResponse::Data { flags, data }).await;
-                if !routed {
+                if !matches!(routed, RouteResult::Routed) {
                    match routed {
                        RouteResult::NoConn => stats.increment_me_route_drop_no_conn(),
                        RouteResult::ChannelClosed => stats.increment_me_route_drop_channel_closed(),
                        RouteResult::QueueFull => stats.increment_me_route_drop_queue_full(),
                        RouteResult::Routed => {}
                    }
                    reg.unregister(cid).await;
                    send_close_conn(&tx, cid).await;
                }
@@ -126,7 +136,13 @@ pub(crate) async fn reader_loop(
                trace!(cid, cfm, "RPC_SIMPLE_ACK");
                let routed = reg.route(cid, MeResponse::Ack(cfm)).await;
-                if !routed {
+                if !matches!(routed, RouteResult::Routed) {
                    match routed {
                        RouteResult::NoConn => stats.increment_me_route_drop_no_conn(),
                        RouteResult::ChannelClosed => stats.increment_me_route_drop_channel_closed(),
                        RouteResult::QueueFull => stats.increment_me_route_drop_queue_full(),
                        RouteResult::Routed => {}
                    }
                    reg.unregister(cid).await;
                    send_close_conn(&tx, cid).await;
                }
@@ -152,6 +168,7 @@ pub(crate) async fn reader_loop(
                }
            } else if pt == RPC_PONG_U32 && body.len() >= 8 {
                let ping_id = i64::from_le_bytes(body[0..8].try_into().unwrap());
                stats.increment_me_keepalive_pong();
                if let Some((sent, wid)) = {
                    let mut guard = ping_tracker.lock().await;
                    guard.remove(&ping_id)
--- a/src/transport/middle_proxy/registry.rs
+++ b/src/transport/middle_proxy/registry.rs
@@ -1,13 +1,25 @@
 use std::collections::{HashMap, HashSet};
 use std::net::SocketAddr;
 use std::sync::atomic::{AtomicU64, Ordering};
-use std::sync::Arc;
+use std::time::Duration;
-use tokio::sync::{mpsc, Mutex, RwLock};
+use tokio::sync::{mpsc, RwLock};
 use tokio::sync::mpsc::error::TrySendError;
 use super::codec::WriterCommand;
 use super::MeResponse;
 const ROUTE_CHANNEL_CAPACITY: usize = 4096;
 const ROUTE_BACKPRESSURE_TIMEOUT: Duration = Duration::from_millis(25);
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum RouteResult {
    Routed,
    NoConn,
    ChannelClosed,
    QueueFull,
 }
 #[derive(Clone)]
 pub struct ConnMeta {
    pub target_dc: i16,
@@ -64,7 +76,7 @@ impl ConnRegistry {
    pub async fn register(&self) -> (u64, mpsc::Receiver<MeResponse>) {
        let id = self.next_id.fetch_add(1, Ordering::Relaxed);
-        let (tx, rx) = mpsc::channel(1024);
+        let (tx, rx) = mpsc::channel(ROUTE_CHANNEL_CAPACITY);
        self.inner.write().await.map.insert(id, tx);
        (id, rx)
    }
@@ -83,12 +95,27 @@ impl ConnRegistry {
        None
    }
-    pub async fn route(&self, id: u64, resp: MeResponse) -> bool {
+    pub async fn route(&self, id: u64, resp: MeResponse) -> RouteResult {
-        let inner = self.inner.read().await;
+        let tx = {
-        if let Some(tx) = inner.map.get(&id) {
+            let inner = self.inner.read().await;
-            tx.try_send(resp).is_ok()
+            inner.map.get(&id).cloned()
-        } else {
+        };
-            false
+
        let Some(tx) = tx else {
            return RouteResult::NoConn;
        };
        match tx.try_send(resp) {
            Ok(()) => RouteResult::Routed,
            Err(TrySendError::Closed(_)) => RouteResult::ChannelClosed,
            Err(TrySendError::Full(resp)) => {
                // Absorb short bursts without dropping/closing the session immediately.
                match tokio::time::timeout(ROUTE_BACKPRESSURE_TIMEOUT, tx.send(resp)).await {
                    Ok(Ok(())) => RouteResult::Routed,
                    Ok(Err(_)) => RouteResult::ChannelClosed,
                    Err(_) => RouteResult::QueueFull,
                }
            }
        }
    }
--- a/src/transport/middle_proxy/send.rs
+++ b/src/transport/middle_proxy/send.rs
@@ -62,6 +62,8 @@ impl MePool {
            let mut writers_snapshot = {
                let ws = self.writers.read().await;
                if ws.is_empty() {
                    // Create waiter before recovery attempts so notify_one permits are not missed.
                    let waiter = self.writer_available.notified();
                    drop(ws);
                    for family in self.family_order() {
                        let map = match family {
@@ -72,13 +74,19 @@ impl MePool {
                            for (ip, port) in addrs {
                                let addr = SocketAddr::new(*ip, *port);
                                if self.connect_one(addr, self.rng.as_ref()).await.is_ok() {
-                                    self.writer_available.notify_waiters();
+                                    self.writer_available.notify_one();
                                    break;
                                }
                            }
                        }
                    }
-                    if tokio::time::timeout(Duration::from_secs(3), self.writer_available.notified()).await.is_err() {
+                    if !self.writers.read().await.is_empty() {
                        continue;
                    }
                    if tokio::time::timeout(Duration::from_secs(3), waiter).await.is_err() {
                        if !self.writers.read().await.is_empty() {
                            continue;
                        }
                        return Err(ProxyError::Proxy("All ME connections dead (waited 3s)".into()));
                    }
                    continue;
--- a/src/transport/proxy_protocol.rs
+++ b/src/transport/proxy_protocol.rs
@@ -283,6 +283,58 @@ impl Default for ProxyProtocolV1Builder {
    }
 }
 /// Builder for PROXY protocol v2 header
 pub struct ProxyProtocolV2Builder {
    src: Option<SocketAddr>,
    dst: Option<SocketAddr>,
 }
 impl ProxyProtocolV2Builder {
    pub fn new() -> Self {
        Self { src: None, dst: None }
    }
    pub fn with_addrs(mut self, src: SocketAddr, dst: SocketAddr) -> Self {
        self.src = Some(src);
        self.dst = Some(dst);
        self
    }
    pub fn build(&self) -> Vec<u8> {
        let mut header = Vec::new();
        header.extend_from_slice(PROXY_V2_SIGNATURE);
        // version 2, PROXY command
        header.push(0x21);
        match (self.src, self.dst) {
            (Some(SocketAddr::V4(src)), Some(SocketAddr::V4(dst))) => {
                header.push(0x11); // INET + STREAM
                header.extend_from_slice(&(12u16).to_be_bytes());
                header.extend_from_slice(&src.ip().octets());
                header.extend_from_slice(&dst.ip().octets());
                header.extend_from_slice(&src.port().to_be_bytes());
                header.extend_from_slice(&dst.port().to_be_bytes());
            }
            (Some(SocketAddr::V6(src)), Some(SocketAddr::V6(dst))) => {
                header.push(0x21); // INET6 + STREAM
                header.extend_from_slice(&(36u16).to_be_bytes());
                header.extend_from_slice(&src.ip().octets());
                header.extend_from_slice(&dst.ip().octets());
                header.extend_from_slice(&src.port().to_be_bytes());
                header.extend_from_slice(&dst.port().to_be_bytes());
            }
            _ => {
                // LOCAL/UNSPEC: no address information
                header[12] = 0x20; // version 2, LOCAL command
                header.push(0x00);
                header.extend_from_slice(&0u16.to_be_bytes());
            }
        }
        header
    }
 }
 #[cfg(test)]
 mod tests {
    use super::*;
@@ -378,4 +430,4 @@ mod tests {
        let header = ProxyProtocolV1Builder::new().build();
        assert_eq!(header, b"PROXY UNKNOWN\r\n");
    }
-}
+}
--- a/src/transport/socket.rs
+++ b/src/transport/socket.rs
@@ -1,5 +1,7 @@
 //! TCP Socket Configuration
 use std::collections::HashSet;
 use std::fs;
 use std::io::Result;
 use std::net::{SocketAddr, IpAddr};
 use std::time::Duration;
@@ -122,6 +124,38 @@ pub fn get_local_addr(stream: &TcpStream) -> Option<SocketAddr> {
    stream.local_addr().ok()
 }
 /// Resolve primary IP address of a network interface by name.
 /// Returns the first address matching the requested family (IPv4/IPv6).
 #[cfg(unix)]
 pub fn resolve_interface_ip(name: &str, want_ipv6: bool) -> Option<IpAddr> {
    use nix::ifaddrs::getifaddrs;
    if let Ok(addrs) = getifaddrs() {
        for iface in addrs {
            if iface.interface_name == name {
                if let Some(address) = iface.address {
                    if let Some(v4) = address.as_sockaddr_in() {
                        if !want_ipv6 {
                            return Some(IpAddr::V4(v4.ip()));
                        }
                    } else if let Some(v6) = address.as_sockaddr_in6() {
                        if want_ipv6 {
                            return Some(IpAddr::V6(v6.ip().clone()));
                        }
                    }
                }
            }
        }
    }
    None
 }
 /// Stub for non-Unix platforms: interface name resolution unsupported.
 #[cfg(not(unix))]
 pub fn resolve_interface_ip(_name: &str, _want_ipv6: bool) -> Option<IpAddr> {
    None
 }
 /// Get peer address of a socket
 pub fn get_peer_addr(stream: &TcpStream) -> Option<SocketAddr> {
    stream.peer_addr().ok()
@@ -202,6 +236,133 @@ pub fn create_listener(addr: SocketAddr, options: &ListenOptions) -> Result<Sock
    Ok(socket)
 }
 /// Best-effort process list for listeners occupying the same local TCP port.
 #[derive(Debug, Clone)]
 pub struct ListenerProcessInfo {
    pub pid: u32,
    pub process: String,
 }
 /// Find processes currently listening on the local TCP port of `addr`.
 /// Returns an empty list when unsupported or when no owners can be resolved.
 pub fn find_listener_processes(addr: SocketAddr) -> Vec<ListenerProcessInfo> {
    #[cfg(target_os = "linux")]
    {
        find_listener_processes_linux(addr)
    }
    #[cfg(not(target_os = "linux"))]
    {
        let _ = addr;
        Vec::new()
    }
 }
 #[cfg(target_os = "linux")]
 fn find_listener_processes_linux(addr: SocketAddr) -> Vec<ListenerProcessInfo> {
    let inodes = listening_inodes_for_port(addr);
    if inodes.is_empty() {
        return Vec::new();
    }
    let mut out = Vec::new();
    let proc_entries = match fs::read_dir("/proc") {
        Ok(entries) => entries,
        Err(_) => return out,
    };
    for entry in proc_entries.flatten() {
        let pid = match entry.file_name().to_string_lossy().parse::<u32>() {
            Ok(pid) => pid,
            Err(_) => continue,
        };
        let fd_dir = entry.path().join("fd");
        let fd_entries = match fs::read_dir(fd_dir) {
            Ok(entries) => entries,
            Err(_) => continue,
        };
        let mut matched = false;
        for fd in fd_entries.flatten() {
            let link_target = match fs::read_link(fd.path()) {
                Ok(link) => link,
                Err(_) => continue,
            };
            let link_str = link_target.to_string_lossy();
            let Some(rest) = link_str.strip_prefix("socket:[") else {
                continue;
            };
            let Some(inode_str) = rest.strip_suffix(']') else {
                continue;
            };
            let Ok(inode) = inode_str.parse::<u64>() else {
                continue;
            };
            if inodes.contains(&inode) {
                matched = true;
                break;
            }
        }
        if matched {
            let process = fs::read_to_string(entry.path().join("comm"))
                .ok()
                .map(|s| s.trim().to_string())
                .filter(|s| !s.is_empty())
                .unwrap_or_else(|| "unknown".to_string());
            out.push(ListenerProcessInfo { pid, process });
        }
    }
    out.sort_by_key(|p| p.pid);
    out.dedup_by_key(|p| p.pid);
    out
 }
 #[cfg(target_os = "linux")]
 fn listening_inodes_for_port(addr: SocketAddr) -> HashSet<u64> {
    let path = match addr {
        SocketAddr::V4(_) => "/proc/net/tcp",
        SocketAddr::V6(_) => "/proc/net/tcp6",
    };
    let mut inodes = HashSet::new();
    let Ok(data) = fs::read_to_string(path) else {
        return inodes;
    };
    for line in data.lines().skip(1) {
        let cols: Vec<&str> = line.split_whitespace().collect();
        if cols.len() < 10 {
            continue;
        }
        // LISTEN state in /proc/net/tcp*
        if cols[3] != "0A" {
            continue;
        }
        let Some(port_hex) = cols[1].split(':').nth(1) else {
            continue;
        };
        let Ok(port) = u16::from_str_radix(port_hex, 16) else {
            continue;
        };
        if port != addr.port() {
            continue;
        }
        if let Ok(inode) = cols[9].parse::<u64>() {
            inodes.insert(inode);
        }
    }
    inodes
 }
 #[cfg(test)]
 mod tests {
    use super::*;
--- a/src/transport/upstream.rs
+++ b/src/transport/upstream.rs
@@ -5,6 +5,7 @@
 use std::collections::HashMap;
 use std::net::{SocketAddr, IpAddr};
 use std::sync::Arc;
 use std::sync::atomic::{AtomicUsize, Ordering};
 use std::time::Duration;
 use tokio::net::TcpStream;
 use tokio::sync::RwLock;
@@ -15,7 +16,7 @@ use tracing::{debug, warn, info, trace};
 use crate::config::{UpstreamConfig, UpstreamType};
 use crate::error::{Result, ProxyError};
 use crate::protocol::constants::{TG_DATACENTERS_V4, TG_DATACENTERS_V6, TG_DATACENTER_PORT};
-use crate::transport::socket::create_outgoing_socket_bound;
+use crate::transport::socket::{create_outgoing_socket_bound, resolve_interface_ip};
 use crate::transport::socks::{connect_socks4, connect_socks5};
 /// Number of Telegram datacenters
@@ -23,6 +24,8 @@ const NUM_DCS: usize = 5;
 /// Timeout for individual DC ping attempt
 const DC_PING_TIMEOUT_SECS: u64 = 5;
 /// Timeout for direct TG DC TCP connect readiness.
 const DIRECT_CONNECT_TIMEOUT_SECS: u64 = 10;
 // ============= RTT Tracking =============
@@ -84,6 +87,8 @@ struct UpstreamState {
    dc_latency: [LatencyEma; NUM_DCS],
    /// Per-DC IP version preference (learned from connectivity tests)
    dc_ip_pref: [IpPreference; NUM_DCS],
    /// Round-robin counter for bind_addresses selection
    bind_rr: Arc<AtomicUsize>,
 }
 impl UpstreamState {
@@ -95,6 +100,7 @@ impl UpstreamState {
            last_check: std::time::Instant::now(),
            dc_latency: [LatencyEma::new(0.3); NUM_DCS],
            dc_ip_pref: [IpPreference::Unknown; NUM_DCS],
            bind_rr: Arc::new(AtomicUsize::new(0)),
        }
    }
@@ -166,6 +172,46 @@ impl UpstreamManager {
        }
    }
    fn resolve_bind_address(
        interface: &Option<String>,
        bind_addresses: &Option<Vec<String>>,
        target: SocketAddr,
        rr: Option<&AtomicUsize>,
    ) -> Option<IpAddr> {
        let want_ipv6 = target.is_ipv6();
        if let Some(addrs) = bind_addresses {
            let candidates: Vec<IpAddr> = addrs
                .iter()
                .filter_map(|s| s.parse::<IpAddr>().ok())
                .filter(|ip| ip.is_ipv6() == want_ipv6)
                .collect();
            if !candidates.is_empty() {
                if let Some(counter) = rr {
                    let idx = counter.fetch_add(1, Ordering::Relaxed) % candidates.len();
                    return Some(candidates[idx]);
                }
                return candidates.first().copied();
            }
        }
        if let Some(iface) = interface {
            if let Ok(ip) = iface.parse::<IpAddr>() {
                if ip.is_ipv6() == want_ipv6 {
                    return Some(ip);
                }
            } else {
                #[cfg(unix)]
                if let Some(ip) = resolve_interface_ip(iface, want_ipv6) {
                    return Some(ip);
                }
            }
        }
        None
    }
    /// Select upstream using latency-weighted random selection.
    async fn select_upstream(&self, dc_idx: Option<i16>, scope: Option<&str>) -> Option<usize> {
        let upstreams = self.upstreams.read().await;
@@ -262,7 +308,12 @@ impl UpstreamManager {
        let start = Instant::now();
-        match self.connect_via_upstream(&upstream, target).await {
+        let bind_rr = {
            let guard = self.upstreams.read().await;
            guard.get(idx).map(|u| u.bind_rr.clone())
        };
        match self.connect_via_upstream(&upstream, target, bind_rr).await {
            Ok(stream) => {
                let rtt_ms = start.elapsed().as_secs_f64() * 1000.0;
                let mut guard = self.upstreams.write().await;
@@ -294,13 +345,27 @@ impl UpstreamManager {
        }
    }
-    async fn connect_via_upstream(&self, config: &UpstreamConfig, target: SocketAddr) -> Result<TcpStream> {
+    async fn connect_via_upstream(
        &self,
        config: &UpstreamConfig,
        target: SocketAddr,
        bind_rr: Option<Arc<AtomicUsize>>,
    ) -> Result<TcpStream> {
        match &config.upstream_type {
-            UpstreamType::Direct { interface } => {
+            UpstreamType::Direct { interface, bind_addresses } => {
-                let bind_ip = interface.as_ref()
+                let bind_ip = Self::resolve_bind_address(
-                    .and_then(|s| s.parse::<IpAddr>().ok());
+                    interface,
                    bind_addresses,
                    target,
                    bind_rr.as_deref(),
                );
                let socket = create_outgoing_socket_bound(target, bind_ip)?;
                if let Some(ip) = bind_ip {
                    debug!(bind = %ip, target = %target, "Bound outgoing socket");
                } else if interface.is_some() || bind_addresses.is_some() {
                    debug!(target = %target, "No matching bind address for target family");
                }
                socket.set_nonblocking(true)?;
                match socket.connect(&target.into()) {
@@ -312,7 +377,16 @@ impl UpstreamManager {
                let std_stream: std::net::TcpStream = socket.into();
                let stream = TcpStream::from_std(std_stream)?;
-                stream.writable().await?;
+                let connect_timeout = Duration::from_secs(DIRECT_CONNECT_TIMEOUT_SECS);
                match tokio::time::timeout(connect_timeout, stream.writable()).await {
                    Ok(Ok(())) => {}
                    Ok(Err(e)) => return Err(ProxyError::Io(e)),
                    Err(_) => {
                        return Err(ProxyError::ConnectionTimeout {
                            addr: target.to_string(),
                        });
                    }
                }
                if let Some(e) = stream.take_error()? {
                    return Err(ProxyError::Io(e));
                }
@@ -320,59 +394,128 @@ impl UpstreamManager {
                Ok(stream)
            },
            UpstreamType::Socks4 { address, interface, user_id } => {
-                let proxy_addr: SocketAddr = address.parse()
+                let connect_timeout = Duration::from_secs(DIRECT_CONNECT_TIMEOUT_SECS);
-                    .map_err(|_| ProxyError::Config("Invalid SOCKS4 address".to_string()))?;
+                // Try to parse as SocketAddr first (IP:port), otherwise treat as hostname:port
                let mut stream = if let Ok(proxy_addr) = address.parse::<SocketAddr>() {
                    // IP:port format - use socket with optional interface binding
                    let bind_ip = Self::resolve_bind_address(
                        interface,
                        &None,
                        proxy_addr,
                        bind_rr.as_deref(),
                    );
-                let bind_ip = interface.as_ref()
+                    let socket = create_outgoing_socket_bound(proxy_addr, bind_ip)?;
                    .and_then(|s| s.parse::<IpAddr>().ok());
-                let socket = create_outgoing_socket_bound(proxy_addr, bind_ip)?;
+                    socket.set_nonblocking(true)?;
                    match socket.connect(&proxy_addr.into()) {
                        Ok(()) => {},
                        Err(err) if err.raw_os_error() == Some(libc::EINPROGRESS) || err.kind() == std::io::ErrorKind::WouldBlock => {},
                        Err(err) => return Err(ProxyError::Io(err)),
                    }
-                socket.set_nonblocking(true)?;
+                    let std_stream: std::net::TcpStream = socket.into();
-                match socket.connect(&proxy_addr.into()) {
+                    let stream = TcpStream::from_std(std_stream)?;
                    Ok(()) => {},
                    Err(err) if err.raw_os_error() == Some(libc::EINPROGRESS) || err.kind() == std::io::ErrorKind::WouldBlock => {},
                    Err(err) => return Err(ProxyError::Io(err)),
                }
-                let std_stream: std::net::TcpStream = socket.into();
+                    match tokio::time::timeout(connect_timeout, stream.writable()).await {
-                let mut stream = TcpStream::from_std(std_stream)?;
+                        Ok(Ok(())) => {}
                        Ok(Err(e)) => return Err(ProxyError::Io(e)),
                        Err(_) => {
                            return Err(ProxyError::ConnectionTimeout {
                                addr: proxy_addr.to_string(),
                            });
                        }
                    }
                    if let Some(e) = stream.take_error()? {
                        return Err(ProxyError::Io(e));
                    }
                    stream
                } else {
                    // Hostname:port format - use tokio DNS resolution
                    // Note: interface binding is not supported for hostnames
                    if interface.is_some() {
                        warn!("SOCKS4 interface binding is not supported for hostname addresses, ignoring");
                    }
                    match tokio::time::timeout(connect_timeout, TcpStream::connect(address)).await {
                        Ok(Ok(stream)) => stream,
                        Ok(Err(e)) => return Err(ProxyError::Io(e)),
                        Err(_) => {
                            return Err(ProxyError::ConnectionTimeout {
                                addr: address.clone(),
                            });
                        }
                    }
                };
                stream.writable().await?;
                if let Some(e) = stream.take_error()? {
                    return Err(ProxyError::Io(e));
                }
                // replace socks user_id with config.selected_scope, if set
                let scope: Option<&str> = Some(config.selected_scope.as_str())
                    .filter(|s| !s.is_empty());
                let _user_id: Option<&str> = scope.or(user_id.as_deref());
-                connect_socks4(&mut stream, target, _user_id).await?;
+                match tokio::time::timeout(connect_timeout, connect_socks4(&mut stream, target, _user_id)).await {
                    Ok(Ok(())) => {}
                    Ok(Err(e)) => return Err(e),
                    Err(_) => {
                        return Err(ProxyError::ConnectionTimeout {
                            addr: target.to_string(),
                        });
                    }
                }
                Ok(stream)
            },
            UpstreamType::Socks5 { address, interface, username, password } => {
-                let proxy_addr: SocketAddr = address.parse()
+                let connect_timeout = Duration::from_secs(DIRECT_CONNECT_TIMEOUT_SECS);
-                    .map_err(|_| ProxyError::Config("Invalid SOCKS5 address".to_string()))?;
+                // Try to parse as SocketAddr first (IP:port), otherwise treat as hostname:port
                let mut stream = if let Ok(proxy_addr) = address.parse::<SocketAddr>() {
                    // IP:port format - use socket with optional interface binding
                    let bind_ip = Self::resolve_bind_address(
                        interface,
                        &None,
                        proxy_addr,
                        bind_rr.as_deref(),
                    );
-                let bind_ip = interface.as_ref()
+                    let socket = create_outgoing_socket_bound(proxy_addr, bind_ip)?;
                    .and_then(|s| s.parse::<IpAddr>().ok());
-                let socket = create_outgoing_socket_bound(proxy_addr, bind_ip)?;
+                    socket.set_nonblocking(true)?;
                    match socket.connect(&proxy_addr.into()) {
                        Ok(()) => {},
                        Err(err) if err.raw_os_error() == Some(libc::EINPROGRESS) || err.kind() == std::io::ErrorKind::WouldBlock => {},
                        Err(err) => return Err(ProxyError::Io(err)),
                    }
-                socket.set_nonblocking(true)?;
+                    let std_stream: std::net::TcpStream = socket.into();
-                match socket.connect(&proxy_addr.into()) {
+                    let stream = TcpStream::from_std(std_stream)?;
                    Ok(()) => {},
                    Err(err) if err.raw_os_error() == Some(libc::EINPROGRESS) || err.kind() == std::io::ErrorKind::WouldBlock => {},
                    Err(err) => return Err(ProxyError::Io(err)),
                }
-                let std_stream: std::net::TcpStream = socket.into();
+                    match tokio::time::timeout(connect_timeout, stream.writable()).await {
-                let mut stream = TcpStream::from_std(std_stream)?;
+                        Ok(Ok(())) => {}
-
+                        Ok(Err(e)) => return Err(ProxyError::Io(e)),
-                stream.writable().await?;
+                        Err(_) => {
-                if let Some(e) = stream.take_error()? {
+                            return Err(ProxyError::ConnectionTimeout {
-                    return Err(ProxyError::Io(e));
+                                addr: proxy_addr.to_string(),
-                }
+                            });
                        }
                    }
                    if let Some(e) = stream.take_error()? {
                        return Err(ProxyError::Io(e));
                    }
                    stream
                } else {
                    // Hostname:port format - use tokio DNS resolution
                    // Note: interface binding is not supported for hostnames
                    if interface.is_some() {
                        warn!("SOCKS5 interface binding is not supported for hostname addresses, ignoring");
                    }
                    match tokio::time::timeout(connect_timeout, TcpStream::connect(address)).await {
                        Ok(Ok(stream)) => stream,
                        Ok(Err(e)) => return Err(ProxyError::Io(e)),
                        Err(_) => {
                            return Err(ProxyError::ConnectionTimeout {
                                addr: address.clone(),
                            });
                        }
                    }
                };
                debug!(config = ?config, "Socks5 connection");
                // replace socks user:pass with config.selected_scope, if set
@@ -381,7 +524,20 @@ impl UpstreamManager {
                let _username: Option<&str> = scope.or(username.as_deref());
                let _password: Option<&str> = scope.or(password.as_deref());
-                connect_socks5(&mut stream, target, _username, _password).await?;
+                match tokio::time::timeout(
                    connect_timeout,
                    connect_socks5(&mut stream, target, _username, _password),
                )
                .await
                {
                    Ok(Ok(())) => {}
                    Ok(Err(e)) => return Err(e),
                    Err(_) => {
                        return Err(ProxyError::ConnectionTimeout {
                            addr: target.to_string(),
                        });
                    }
                }
                Ok(stream)
            },
        }
@@ -398,18 +554,18 @@ impl UpstreamManager {
        ipv4_enabled: bool,
        ipv6_enabled: bool,
    ) -> Vec<StartupPingResult> {
-        let upstreams: Vec<(usize, UpstreamConfig)> = {
+        let upstreams: Vec<(usize, UpstreamConfig, Arc<AtomicUsize>)> = {
            let guard = self.upstreams.read().await;
            guard.iter().enumerate()
-                .map(|(i, u)| (i, u.config.clone()))
+                .map(|(i, u)| (i, u.config.clone(), u.bind_rr.clone()))
                .collect()
        };
        let mut all_results = Vec::new();
-        for (upstream_idx, upstream_config) in &upstreams {
+        for (upstream_idx, upstream_config, bind_rr) in &upstreams {
            let upstream_name = match &upstream_config.upstream_type {
-                UpstreamType::Direct { interface } => {
+                UpstreamType::Direct { interface, .. } => {
                    format!("direct{}", interface.as_ref().map(|i| format!(" ({})", i)).unwrap_or_default())
                }
                UpstreamType::Socks4 { address, .. } => format!("socks4://{}", address),
@@ -424,7 +580,7 @@ impl UpstreamManager {
                    let result = tokio::time::timeout(
                        Duration::from_secs(DC_PING_TIMEOUT_SECS),
-                        self.ping_single_dc(&upstream_config, addr_v6)
+                        self.ping_single_dc(&upstream_config, Some(bind_rr.clone()), addr_v6)
                    ).await;
                    let ping_result = match result {
@@ -475,7 +631,7 @@ impl UpstreamManager {
                    let result = tokio::time::timeout(
                        Duration::from_secs(DC_PING_TIMEOUT_SECS),
-                        self.ping_single_dc(&upstream_config, addr_v4)
+                        self.ping_single_dc(&upstream_config, Some(bind_rr.clone()), addr_v4)
                    ).await;
                    let ping_result = match result {
@@ -538,7 +694,7 @@ impl UpstreamManager {
                            }
                            let result = tokio::time::timeout(
                                Duration::from_secs(DC_PING_TIMEOUT_SECS),
-                                self.ping_single_dc(&upstream_config, addr)
+                                self.ping_single_dc(&upstream_config, Some(bind_rr.clone()), addr)
                            ).await;
                            let ping_result = match result {
@@ -607,9 +763,14 @@ impl UpstreamManager {
        all_results
    }
-    async fn ping_single_dc(&self, config: &UpstreamConfig, target: SocketAddr) -> Result<f64> {
+    async fn ping_single_dc(
        &self,
        config: &UpstreamConfig,
        bind_rr: Option<Arc<AtomicUsize>>,
        target: SocketAddr,
    ) -> Result<f64> {
        let start = Instant::now();
-        let _stream = self.connect_via_upstream(config, target).await?;
+        let _stream = self.connect_via_upstream(config, target, bind_rr).await?;
        Ok(start.elapsed().as_secs_f64() * 1000.0)
    }
@@ -649,15 +810,16 @@ impl UpstreamManager {
            let count = self.upstreams.read().await.len();
            for i in 0..count {
-                let config = {
+                let (config, bind_rr) = {
                    let guard = self.upstreams.read().await;
-                    guard[i].config.clone()
+                    let u = &guard[i];
                    (u.config.clone(), u.bind_rr.clone())
                };
                let start = Instant::now();
                let result = tokio::time::timeout(
                    Duration::from_secs(10),
-                    self.connect_via_upstream(&config, dc_addr)
+                    self.connect_via_upstream(&config, dc_addr, Some(bind_rr.clone()))
                ).await;
                match result {
@@ -686,7 +848,7 @@ impl UpstreamManager {
                            let start2 = Instant::now();
                            let result2 = tokio::time::timeout(
                                Duration::from_secs(10),
-                                self.connect_via_upstream(&config, fallback_addr)
+                                self.connect_via_upstream(&config, fallback_addr, Some(bind_rr.clone()))
                            ).await;
                            let mut guard = self.upstreams.write().await;
--- a/telemt.service
+++ b/telemt.service
@@ -7,6 +7,7 @@ Type=simple
 WorkingDirectory=/bin
 ExecStart=/bin/telemt /etc/telemt.toml
 Restart=on-failure
 LimitNOFILE=65536
 [Install]
 WantedBy=multi-user.target
--- a/tools/tlsearch.py
+++ b/tools/tlsearch.py
@@ -0,0 +1,396 @@
 #!/usr/bin/env python3
 """
 TLS Profile Inspector
 Usage:
  python3 tools/tlsearch.py
  python3 tools/tlsearch.py tlsfront
  python3 tools/tlsearch.py tlsfront/petrovich.ru.json
  python3 tools/tlsearch.py tlsfront --only-current
 """
 from __future__ import annotations
 import argparse
 import datetime as dt
 import json
 from dataclasses import dataclass
 from pathlib import Path
 from typing import Any, Iterable
 TLS_VERSIONS = {
    0x0301: "TLS 1.0",
    0x0302: "TLS 1.1",
    0x0303: "TLS 1.2",
    0x0304: "TLS 1.3",
 }
 EXT_NAMES = {
    0: "server_name",
    5: "status_request",
    10: "supported_groups",
    11: "ec_point_formats",
    13: "signature_algorithms",
    16: "alpn",
    18: "signed_certificate_timestamp",
    21: "padding",
    23: "extended_master_secret",
    35: "session_ticket",
    43: "supported_versions",
    45: "psk_key_exchange_modes",
    51: "key_share",
 }
 CIPHER_NAMES = {
    0x1301: "TLS_AES_128_GCM_SHA256",
    0x1302: "TLS_AES_256_GCM_SHA384",
    0x1303: "TLS_CHACHA20_POLY1305_SHA256",
    0x1304: "TLS_AES_128_CCM_SHA256",
    0x1305: "TLS_AES_128_CCM_8_SHA256",
    0x009C: "TLS_RSA_WITH_AES_128_GCM_SHA256",
    0x009D: "TLS_RSA_WITH_AES_256_GCM_SHA384",
    0xC02F: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    0xC030: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    0xCCA8: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
    0xCCA9: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
 }
 NAMED_GROUPS = {
    0x001D: "x25519",
    0x0017: "secp256r1",
    0x0018: "secp384r1",
    0x0019: "secp521r1",
    0x0100: "ffdhe2048",
    0x0101: "ffdhe3072",
    0x0102: "ffdhe4096",
 }
@dataclass
 class ProfileRecognition:
    schema: str
    mode: str
    has_cert_info: bool
    has_full_cert_payload: bool
    cert_message_len: int
    cert_chain_count: int
    cert_chain_total_len: int
    issues: list[str]
 def to_hex(data: Iterable[int]) -> str:
    return "".join(f"{b:02x}" for b in data)
 def read_u16be(data: list[int], off: int = 0) -> int:
    return (data[off] << 8) | data[off + 1]
 def normalize_u8_list(value: Any) -> list[int]:
    if not isinstance(value, list):
        return []
    out: list[int] = []
    for item in value:
        if isinstance(item, int) and 0 <= item <= 0xFF:
            out.append(item)
        else:
            return []
    return out
 def as_dict(value: Any) -> dict[str, Any]:
    return value if isinstance(value, dict) else {}
 def as_int(value: Any, default: int = 0) -> int:
    return value if isinstance(value, int) else default
 def decode_version_pair(v: list[int]) -> str:
    if len(v) != 2:
        return f"invalid({v})"
    ver = read_u16be(v)
    return f"0x{ver:04x} ({TLS_VERSIONS.get(ver, 'unknown')})"
 def decode_cipher_suite(v: list[int]) -> str:
    if len(v) != 2:
        return f"invalid({v})"
    cs = read_u16be(v)
    name = CIPHER_NAMES.get(cs, "unknown")
    return f"0x{cs:04x} ({name})"
 def decode_supported_versions(data: list[int]) -> str:
    if len(data) == 2:
        ver = read_u16be(data)
        return f"selected=0x{ver:04x} ({TLS_VERSIONS.get(ver, 'unknown')})"
    if not data:
        return "empty"
    if len(data) < 3:
        return f"raw={to_hex(data)}"
    vec_len = data[0]
    versions: list[str] = []
    for i in range(1, min(1 + vec_len, len(data)), 2):
        if i + 1 >= len(data):
            break
        ver = read_u16be(data, i)
        versions.append(f"0x{ver:04x}({TLS_VERSIONS.get(ver, 'unknown')})")
    return "offered=[" + ", ".join(versions) + "]"
 def decode_key_share(data: list[int]) -> str:
    if len(data) < 4:
        return f"raw={to_hex(data)}"
    group = read_u16be(data, 0)
    key_len = read_u16be(data, 2)
    key_hex = to_hex(data[4 : 4 + min(key_len, len(data) - 4)])
    gname = NAMED_GROUPS.get(group, "unknown_group")
    return f"group=0x{group:04x}({gname}), key_len={key_len}, key={key_hex}"
 def decode_alpn(data: list[int]) -> str:
    if len(data) < 3:
        return f"raw={to_hex(data)}"
    total = read_u16be(data, 0)
    pos = 2
    vals: list[str] = []
    limit = min(len(data), 2 + total)
    while pos < limit:
        ln = data[pos]
        pos += 1
        if pos + ln > limit:
            break
        raw = bytes(data[pos : pos + ln])
        pos += ln
        try:
            vals.append(raw.decode("ascii"))
        except UnicodeDecodeError:
            vals.append(raw.hex())
    return "protocols=[" + ", ".join(vals) + "]"
 def decode_extension(ext_type: int, data: list[int]) -> str:
    if ext_type == 43:
        return decode_supported_versions(data)
    if ext_type == 51:
        return decode_key_share(data)
    if ext_type == 16:
        return decode_alpn(data)
    return f"raw={to_hex(data)}"
 def ts_to_iso(ts: Any) -> str:
    if not isinstance(ts, int):
        return "-"
    return dt.datetime.fromtimestamp(ts, tz=dt.timezone.utc).isoformat()
 def recognize_profile(obj: dict[str, Any]) -> ProfileRecognition:
    issues: list[str] = []
    sh = as_dict(obj.get("server_hello_template"))
    if not sh:
        issues.append("missing server_hello_template")
    version = normalize_u8_list(sh.get("version"))
    if version and len(version) != 2:
        issues.append("server_hello_template.version must have 2 bytes")
    app_sizes = obj.get("app_data_records_sizes")
    if not isinstance(app_sizes, list) or not app_sizes:
        issues.append("missing app_data_records_sizes")
    elif any((not isinstance(v, int) or v <= 0) for v in app_sizes):
        issues.append("app_data_records_sizes contains invalid values")
    if not isinstance(obj.get("total_app_data_len"), int):
        issues.append("missing total_app_data_len")
    cert_info = as_dict(obj.get("cert_info"))
    has_cert_info = bool(
        cert_info.get("subject_cn")
        or cert_info.get("issuer_cn")
        or cert_info.get("san_names")
        or isinstance(cert_info.get("not_before_unix"), int)
        or isinstance(cert_info.get("not_after_unix"), int)
    )
    cert_payload = as_dict(obj.get("cert_payload"))
    cert_message_len = 0
    cert_chain_count = 0
    cert_chain_total_len = 0
    has_full_cert_payload = False
    if cert_payload:
        cert_msg = normalize_u8_list(cert_payload.get("certificate_message"))
        if not cert_msg:
            issues.append("cert_payload.certificate_message is missing or invalid")
        else:
            cert_message_len = len(cert_msg)
        chain_raw = cert_payload.get("cert_chain_der")
        if not isinstance(chain_raw, list):
            issues.append("cert_payload.cert_chain_der is missing or invalid")
        else:
            for entry in chain_raw:
                cert = normalize_u8_list(entry)
                if cert:
                    cert_chain_count += 1
                    cert_chain_total_len += len(cert)
                else:
                    issues.append("cert_payload.cert_chain_der has invalid certificate entry")
                    break
        has_full_cert_payload = cert_message_len > 0 and cert_chain_count > 0
    elif obj.get("cert_payload") is not None:
        issues.append("cert_payload is not an object")
    if has_full_cert_payload:
        schema = "current"
        mode = "full-cert-payload"
    elif has_cert_info:
        schema = "current-compact"
        mode = "compact-cert-info"
    else:
        schema = "legacy"
        mode = "random-fallback"
    if issues:
        schema = f"{schema}+issues"
    return ProfileRecognition(
        schema=schema,
        mode=mode,
        has_cert_info=has_cert_info,
        has_full_cert_payload=has_full_cert_payload,
        cert_message_len=cert_message_len,
        cert_chain_count=cert_chain_count,
        cert_chain_total_len=cert_chain_total_len,
        issues=issues,
    )
 def decode_profile(path: Path) -> tuple[str, ProfileRecognition]:
    obj: dict[str, Any] = json.loads(path.read_text(encoding="utf-8"))
    recognition = recognize_profile(obj)
    sh = as_dict(obj.get("server_hello_template"))
    version = normalize_u8_list(sh.get("version"))
    cipher = normalize_u8_list(sh.get("cipher_suite"))
    random_bytes = normalize_u8_list(sh.get("random"))
    session_id = normalize_u8_list(sh.get("session_id"))
    lines: list[str] = []
    lines.append(f"[{path.name}]")
    lines.append(f"  domain: {obj.get('domain', '-')}")
    lines.append(f"  profile.schema: {recognition.schema}")
    lines.append(f"  profile.mode: {recognition.mode}")
    lines.append(f"  profile.has_full_cert_payload: {recognition.has_full_cert_payload}")
    lines.append(f"  profile.has_cert_info: {recognition.has_cert_info}")
    if recognition.has_full_cert_payload:
        lines.append(f"  profile.cert_message_len: {recognition.cert_message_len}")
        lines.append(f"  profile.cert_chain_count: {recognition.cert_chain_count}")
        lines.append(f"  profile.cert_chain_total_len: {recognition.cert_chain_total_len}")
    if recognition.issues:
        lines.append("  profile.issues:")
        for issue in recognition.issues:
            lines.append(f"    - {issue}")
    lines.append(f"  tls.version: {decode_version_pair(version)}")
    lines.append(f"  tls.cipher: {decode_cipher_suite(cipher)}")
    lines.append(f"  tls.compression: {sh.get('compression', '-')}")
    lines.append(f"  tls.random: {to_hex(random_bytes)}")
    lines.append(f"  tls.session_id_len: {len(session_id)}")
    if session_id:
        lines.append(f"  tls.session_id: {to_hex(session_id)}")
    app_sizes = obj.get("app_data_records_sizes", [])
    if isinstance(app_sizes, list):
        lines.append("  app_data_records_sizes: " + ", ".join(str(v) for v in app_sizes))
    else:
        lines.append("  app_data_records_sizes: -")
    lines.append(f"  total_app_data_len: {obj.get('total_app_data_len', '-')}")
    cert = as_dict(obj.get("cert_info"))
    if cert:
        lines.append("  cert_info:")
        lines.append(f"    subject_cn: {cert.get('subject_cn') or '-'}")
        lines.append(f"    issuer_cn: {cert.get('issuer_cn') or '-'}")
        lines.append(f"    not_before: {ts_to_iso(cert.get('not_before_unix'))}")
        lines.append(f"    not_after:  {ts_to_iso(cert.get('not_after_unix'))}")
        sans = cert.get("san_names")
        if isinstance(sans, list) and sans:
            lines.append("    san_names: " + ", ".join(str(v) for v in sans))
        else:
            lines.append("    san_names: -")
    else:
        lines.append("  cert_info: -")
    exts = sh.get("extensions", [])
    if not isinstance(exts, list):
        exts = []
    lines.append(f"  extensions[{len(exts)}]:")
    for ext in exts:
        ext_obj = as_dict(ext)
        ext_type = as_int(ext_obj.get("ext_type"), -1)
        data = normalize_u8_list(ext_obj.get("data"))
        name = EXT_NAMES.get(ext_type, "unknown")
        decoded = decode_extension(ext_type, data)
        lines.append(f"    - type={ext_type} ({name}), len={len(data)}: {decoded}")
    lines.append("")
    return ("\n".join(lines), recognition)
 def collect_files(input_path: Path) -> list[Path]:
    if input_path.is_file():
        return [input_path]
    return sorted(p for p in input_path.glob("*.json") if p.is_file())
 def main() -> int:
    parser = argparse.ArgumentParser(
        description="Decode TLS profile JSON files and recognize current schema."
    )
    parser.add_argument(
        "path",
        nargs="?",
        default="tlsfront",
        help="Path to tlsfront directory or a single JSON file.",
    )
    parser.add_argument(
        "--only-current",
        action="store_true",
        help="Show only profiles recognized as current/full-cert-payload.",
    )
    args = parser.parse_args()
    base = Path(args.path)
    if not base.exists():
        print(f"Path not found: {base}")
        return 1
    files = collect_files(base)
    if not files:
        print(f"No JSON files found in: {base}")
        return 1
    printed = 0
    for path in files:
        try:
            rendered, recognition = decode_profile(path)
            if args.only_current and recognition.schema != "current":
                continue
            print(rendered, end="")
            printed += 1
        except Exception as e:  # noqa: BLE001
            print(f"[{path.name}] decode error: {e}\n")
    if args.only_current and printed == 0:
        print("No current profiles found.")
    return 0
 if __name__ == "__main__":
    raise SystemExit(main())
Author	SHA1	Message	Date
Alexey	23af3cad5d	Update Cargo.toml	2026-02-23 06:04:36 +03:00
Alexey	c1990d81c2	Merge pull request #210 from telemt/flow TLS Full Certificate	2026-02-23 05:57:58 +03:00
Alexey	065cf21c66	Update tlsearch.py	2026-02-23 05:55:17 +03:00
Alexey	4011812fda	TLS FC TTL Improvements	2026-02-23 05:48:55 +03:00
Alexey	b5d0564f2a	Time-To-Life for TLS Full Certificate	2026-02-23 05:47:44 +03:00
Alexey	cfe8fc72a5	TLS-F tuning Once - full certificate chain, next - only metadata	2026-02-23 05:42:07 +03:00
Alexey	3e4b98b002	TLS Emulator tuning	2026-02-23 05:23:28 +03:00
Alexey	427d65627c	Drafting new TLS Fetcher	2026-02-23 05:16:00 +03:00
Alexey	ae8124d6c6	Drafting TLS Certificates in TLS ServerHello	2026-02-23 05:12:35 +03:00
Alexey	06b9693cf0	Create tlsearch.py	2026-02-23 04:54:32 +03:00
Alexey	869d1429ac	Merge pull request #209 from telemt/flow ME Pool + ME Hotpath + ME Buffers tuning	2026-02-23 04:05:25 +03:00
Alexey	eaba926fe5	ME Buffer reuse + Bytes Len over Full + Seq-no over Wrap-add Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-23 03:52:37 +03:00
Alexey	536e6417a0	Update Cargo.toml	2026-02-23 03:48:40 +03:00
Alexey	ecad96374a	ME Pool tuning Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-23 03:41:51 +03:00
Alexey	4895217828	Bounded backpressure + Semaphore Globalgate + Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-23 03:32:06 +03:00
Alexey	d0a8d31c3c	Update README.md	2026-02-23 03:27:58 +03:00
Alexey	4d83cc1f04	Merge branch 'flow' of https://github.com/telemt/telemt into flow	2026-02-23 03:20:28 +03:00
Alexey	c4c91863f0	Middle-End tuning Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-23 03:20:13 +03:00
Alexey	aae3e2665e	Merge pull request #208 from telemt/flow Middle-End protocol hardening	2026-02-23 02:51:01 +03:00
Alexey	a5c7a41c49	Update types.rs	2026-02-23 02:48:03 +03:00
Alexey	7cc78a5746	Update types.rs	2026-02-23 02:45:16 +03:00
Alexey	cf96e686d1	Update Cargo.toml	2026-02-23 02:41:54 +03:00
Alexey	d4d867156a	Secure Payload length fixes	2026-02-23 02:38:25 +03:00
Alexey	8c1d66a03e	Update Cargo.toml	2026-02-23 02:32:13 +03:00
Alexey	6ff29e43d3	Middle-End protocol hardening - Secure framing / hot-path fix: enforced a single length + padding contract across the framing layer. Replaced legacy runtime `len % 4` recovery with strict validation to eliminate undefined behavior paths. - ME RPC aligned with C reference contract: handshake now includes `flags + sender_pid + peer_pid`. Added negotiated CRC mode (CRC32 / CRC32C) and applied the negotiated mode consistently in read/write paths. - Sequence fail-fast semantics: immediate connection termination on first sequence mismatch with dedicated counter increment. - Keepalive reworked to RPC ping/pong: removed raw CBC keepalive frames. Introduced stale ping tracker with proper timeout accounting. - Route/backpressure observability improvements: increased per-connection route queue to 4096. Added `RouteResult` with explicit failure reasons (NoConn, ChannelClosed, QueueFull) and per-reason counters. - Direct-DC secure mode-gate relaxation: removed TLS/secure conflict in Direct-DC handshake path.	2026-02-23 02:28:00 +03:00
Alexey	208020817a	Update AGENTS_SYSTEM_PROMT.md	2026-02-23 01:51:50 +03:00
Alexey	6864f49292	Merge pull request #207 from telemt/neurosl0pe Update AGENTS_SYSTEM_PROMT.md	2026-02-23 01:27:45 +03:00
Alexey	726fb77ccc	Update AGENTS_SYSTEM_PROMT.md	2026-02-23 01:27:27 +03:00
Alexey	69be44b2b6	Merge pull request #206 from telemt/flow Flush on Response + Hotpath tunings + Reuseport Checker	2026-02-23 01:03:15 +03:00
Alexey	07ca94ce57	Reuseport Checker	2026-02-23 00:55:47 +03:00
Alexey	d050c4794a	Hotpath tunings Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-23 00:50:10 +03:00
Alexey	197f9867e0	Flush-response experiments Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-22 23:53:10 +03:00
Alexey	78dfc2bc39	Merge pull request #205 from axemanofic/feature/build-and-push-docker Add docker-image in ghrc	2026-02-22 16:45:10 +03:00
Alexey	fcf37a1a69	Merge pull request #203 from Dimasssss/main Moving parameters from config.toml to the code	2026-02-22 16:36:12 +03:00
Roman Sotnikov	cc9e71a737	fix: fix push image to telemt	2026-02-22 16:29:04 +03:00
Roman Sotnikov	eb96fcbf76	fix: fix push image to telemt	2026-02-22 16:17:44 +03:00
Roman Sotnikov	ad167f9b1a	style(yaml): fix formating for build-push-docker	2026-02-22 15:55:30 +03:00
Roman Sotnikov	df7bd39f25	style(yaml): fix formating for build-push-docker	2026-02-22 15:53:31 +03:00
Roman Sotnikov	f4c047748d	feat: add gh docker-image	2026-02-22 15:42:57 +03:00
Dimasssss	c5f5b43494	Update README.md	2026-02-22 01:24:50 +03:00
Dimasssss	b2aaf404e1	Add files via upload	2026-02-22 01:19:26 +03:00
Alexey	d552ae84d0	Merge pull request #200 from telemt/flow ME Connection lost fixes	2026-02-21 16:31:49 +03:00
Alexey	3ab56f55e9	ME Connection error handling	2026-02-21 16:28:47 +03:00
Alexey	06d2cdef78	ME Connection lost fixes	2026-02-21 16:12:19 +03:00
Alexey	1be4422431	Merge pull request #199 from telemt/axkurcom-patch-1 Update Cargo.toml	2026-02-21 14:11:34 +03:00
Alexey	3d3428ad4d	Update Cargo.toml	2026-02-21 14:11:12 +03:00
Alexey	eaff96b8c1	Merge pull request #198 from telemt/flow Peer - Connection closed fixes	2026-02-21 14:09:05 +03:00
Alexey	7bf6f3e071	Merge pull request #195 from ivulit/fix/mask-host-tls-emulation Use mask_host for TLS emulation fetcher	2026-02-21 13:58:38 +03:00
Alexey	c3ebb42120	Peer - Connection closed fixes	2026-02-21 13:56:24 +03:00
Alexey	8d93695194	Merge pull request #196 from telemt/axkurcom-patch-1 Update Cargo.toml	2026-02-21 13:21:00 +03:00
Alexey	40711fda09	Update Cargo.toml	2026-02-21 13:20:44 +03:00
ivulit	6ce25c6600	Use mask_host for TLS emulation fetcher	2026-02-21 10:40:59 +03:00
Alexey	1a525f7d29	Merge pull request #191 from Dimasssss/patch-1 Update config.toml	2026-02-21 05:10:25 +03:00
Alexey	2dcbdbe302	Merge pull request #194 from telemt/flow ME Frame too large Fixes	2026-02-21 05:04:42 +03:00
Alexey	1bd495a224	Fixed tests	2026-02-21 04:04:49 +03:00
Alexey	b0e6c04c54	Merge pull request #193 from artemws/main Fix config reload for Docker	2026-02-21 03:37:48 +03:00
Alexey	d5a7882ad1	Merge pull request #190 from vladon/feature/socks-hostname-support feat: add hostname support for SOCKS4/SOCKS5 upstream proxies	2026-02-21 03:36:58 +03:00
Alexey	83fc9d6db3	Middle-End Fixes Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-21 03:36:13 +03:00
Alexey	c9a043d8d5	ME Frame too large Fixes Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-21 02:15:10 +03:00
artemws	a74bdf8aea	Update hot_reload.rs	2026-02-20 23:03:26 +02:00
Dimasssss	94e9bfbbb9	Update config.toml	2026-02-20 22:23:16 +03:00
Dimasssss	18c1444904	Update config.toml	2026-02-20 22:04:56 +03:00
Dimasssss	3b89c1ce7e	Update config.toml user_expirations	2026-02-20 22:02:34 +03:00
Vladislav Yaroslavlev	100cb92ad1	feat: add hostname support for SOCKS4/SOCKS5 upstream proxies Previously, SOCKS proxy addresses only accepted IP:port format. Now both IP:port and hostname:port formats are supported. Changes: - Try parsing as SocketAddr first (IP:port) for backward compatibility - Fall back to tokio::net::TcpStream::connect() for hostname resolution - Log warning if interface binding is specified with hostname (not supported) Example usage: [[upstreams]] type = "socks5" address = "proxy.example.com:1080" username = "user" password = "pass"	2026-02-20 21:42:15 +03:00
Alexey	7da062e448	Merge pull request #188 from telemt/main-stage From staging #185 + #186 -> main	2026-02-20 18:04:58 +03:00
Alexey	1fd78e012d	Metrics + Fixes in tests	2026-02-20 18:02:02 +03:00
Alexey	7304dacd60	Update main.rs	2026-02-20 17:42:20 +03:00
Alexey	3bff0629ca	Merge pull request #187 from artemws/patch-1 Update metrics whitelist in README	2026-02-20 17:26:50 +03:00
Alexey	a79f0bbaf5	Merge pull request #186 from telemt/flow TLS-F + PROXY Protocol Fixes	2026-02-20 17:25:06 +03:00
artemws	aa535bba0a	Update metrics whitelist in README Expanded metrics whitelist to include additional IP ranges.	2026-02-20 16:24:02 +02:00
Alexey	eb3245b78f	Merge branch 'main-stage' into flow	2026-02-20 17:19:23 +03:00
Alexey	da84151e9f	Merge pull request #184 from artemws/main CIDR вместо обычного IP адреса metrics_whitelist	2026-02-20 17:15:54 +03:00
Alexey	a303fee65f	ALPN Extract tests Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-20 17:12:16 +03:00
Alexey	bae811f8f1	Update Cargo.toml	2026-02-20 17:05:35 +03:00
artemws	8892860490	Change whitelist to use IpNetwork for IP filtering	2026-02-20 16:04:21 +02:00
artemws	0d2958fea7	Change metrics whitelist to use IpNetwork	2026-02-20 16:03:57 +02:00
artemws	dbd9b53940	Change metrics_whitelist type from Vec<IpAddr> to Vec<IpNetwork>	2026-02-20 16:03:38 +02:00
artemws	8f1f051a54	Add ipnetwork dependency to Cargo.toml	2026-02-20 16:03:03 +02:00
Alexey	471c680def	TLS Improvements Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-20 17:02:17 +03:00
Alexey	be8742a229	Merge pull request #183 from artemws/main Config Reload-on-fly	2026-02-20 16:57:38 +03:00
Alexey	781947a08a	TlsFrontCache + X509 Parser + GREASE Tolerance Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-20 16:56:33 +03:00
Alexey	b295712dbb	Update Cargo.toml	2026-02-20 16:47:13 +03:00
Alexey	e8454ea370	HAProxy PROXY Protocol Fixes Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-20 16:42:40 +03:00
artemws	ea88a40c8f	Add config path canonicalization Canonicalize the config path to match notify events.	2026-02-20 15:37:44 +02:00
Alexey	2ea4c83d9d	Normalize IP + Masking + TLS	2026-02-20 16:32:14 +03:00
artemws	953fab68c4	Refactor hot-reload mechanism to use notify crate Updated hot-reload functionality to use notify crate for file watching and improved documentation.	2026-02-20 15:29:37 +02:00
artemws	0f6621d359	Refactor hot-reload watcher implementation	2026-02-20 15:29:20 +02:00
artemws	82bb93e8da	Add notify dependency for macOS file events	2026-02-20 15:28:58 +02:00
artemws	25b18ab064	Enhance logging for hot reload configuration changes Added detailed logging for various configuration changes during hot reload, including log level, ad tag, middle proxy pool size, and user access changes.	2026-02-20 14:50:37 +02:00
artemws	3e0dc91db6	Add PartialEq to AccessConfig struct	2026-02-20 14:37:00 +02:00
artemws	26270bc651	Specify types for config_rx in main.rs	2026-02-20 14:27:31 +02:00
Alexey	be2ec4b9b4	Update CONTRIBUTING.md	2026-02-20 15:22:18 +03:00
artemws	766806f5df	Add hot_reload module to config	2026-02-20 14:19:04 +02:00
artemws	26cf6ff4fa	Add files via upload	2026-02-20 14:18:30 +02:00
artemws	b8add81018	Implement hot-reload for config and log level Added hot-reload functionality for configuration and log level.	2026-02-20 14:18:09 +02:00
Alexey	5be81952f3	Merge pull request #182 from Resquer/main Update telemt.service	2026-02-20 14:44:15 +03:00
Alexey	7ce2e33bae	Merge pull request #181 from telemt/flow TLS Front: emulation fixes	2026-02-20 14:43:45 +03:00
Resquer	9e2f0af5be	Update telemt.service	2026-02-20 14:38:55 +03:00
Alexey	4d72cb1680	TLS-F: Emu fixes	2026-02-20 14:32:09 +03:00
Alexey	79eebeb9ef	TLS-F: Fetcher fixes	2026-02-20 14:31:58 +03:00
Alexey	1045289539	TLS-F: Emu: stable CipherSuite	2026-02-20 14:15:45 +03:00
Alexey	3d0b32edf5	TLS-F: Emu researching	2026-02-20 14:02:06 +03:00
Alexey	41601a40fc	Update config.toml	2026-02-20 13:51:50 +03:00
Alexey	a2cc503e81	Update Cargo.toml	2026-02-20 13:48:32 +03:00
Alexey	5ee4556cea	Merge pull request #180 from telemt/flow TLS Front - Fake TLS V2	2026-02-20 13:45:01 +03:00
Alexey	487aa8fbce	TLS-F: Fetcher V2	2026-02-20 13:36:54 +03:00
Alexey	32a9405002	TLS-F: fixes Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-20 13:14:33 +03:00
Alexey	708bedc95e	TLS-F: build fixes Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>	2026-02-20 13:14:09 +03:00
Alexey	ce64bf1cee	TLS-F: pulling main.rs	2026-02-20 13:02:43 +03:00
Alexey	f4b79f2f79	TLS-F: ClientHello Extractor	2026-02-20 12:58:04 +03:00
Alexey	9a907a2470	TLS-F: added Emu + Cache	2026-02-20 12:55:26 +03:00
Alexey	e6839adc17	TLS Front - Fake TLS V2 Core	2026-02-20 12:51:35 +03:00
Alexey	5e98b35fb7	Drafting Fake-TLS V2	2026-02-20 12:48:51 +03:00
Alexey	af35ad3923	Merge pull request #174 from telemt/axkurcom-patch-1 Update CONTRIBUTING.md	2026-02-20 00:37:39 +03:00
Alexey	8f47fa6dd8	Update CONTRIBUTING.md	2026-02-20 00:37:20 +03:00
Alexey	453fb477db	Merge pull request #173 from Dimasssss/main Update README.md	2026-02-19 22:25:16 +03:00
Dimasssss	42ae148e78	Update README.md	2026-02-19 22:15:24 +03:00
Alexey	a7e840c19b	Merge pull request #172 from Dimasssss/main Update README.md	2026-02-19 21:44:17 +03:00
Dimasssss	1593fc4e53	Update README.md Updating the link in the Quick Start Guide	2026-02-19 21:39:56 +03:00
Alexey	fc8010a861	Update README.md	2026-02-19 21:16:07 +03:00
Alexey	7293b8eb32	Update config.toml	2026-02-19 21:15:42 +03:00
Alexey	6934faaf93	Update README.md	2026-02-19 20:41:07 +03:00
Alexey	66fdc3a34d	Update config.toml	2026-02-19 20:40:11 +03:00
Alexey	0c4d9301ec	Update config.toml	2026-02-19 20:36:09 +03:00