From d5f918594daf7ebebca7589701c4c15bbf5f12e6 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 28 Dec 2025 16:53:18 +0000
Subject: [PATCH 1/2] Initial plan


From 4e50f9e0396d67fee2ea0cac7622d93cdfed15d4 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 28 Dec 2025 16:57:38 +0000
Subject: [PATCH 2/2] Fix TLS ClientHello detection to support TLS 1.2/1.3

Co-authored-by: dvershinin <250071+dvershinin@users.noreply.github.com>
---
 net/net-tcp-rpc-ext-server.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/net-tcp-rpc-ext-server.c b/net/net-tcp-rpc-ext-server.c
index 5e9b4eb..7e4a34c 100644
--- a/net/net-tcp-rpc-ext-server.c
+++ b/net/net-tcp-rpc-ext-server.c
@@ -1043,6 +1043,8 @@ int tcp_rpcs_compact_parse_execute (connection_job_t C) {
 
     if (D->in_packet_num == -3) {
       vkprintf (1, "trying to determine type of connection from %s:%d\n", show_remote_ip (C), c->remote_port);
+      vkprintf (2, "packet_len=0x%08x, ext_secret_cnt=%d, allow_only_tls=%d, C_IS_TLS=%d\n", 
+                packet_len, ext_secret_cnt, allow_only_tls, !!(c->flags & C_IS_TLS));
 #if __ALLOW_UNOBFS__
       if ((packet_len & 0xff) == 0xef) {
         D->flags |= RPC_F_COMPACT;
@@ -1110,7 +1112,9 @@ int tcp_rpcs_compact_parse_execute (connection_job_t C) {
         assert (rwm_fetch_lookup (&c->in, &packet_len, 4) == 4);
 
         c->left_tls_packet_length -= 64; // skip header length
-      } else if ((packet_len & 0xFFFFFF) == 0x010316 && (packet_len >> 24) >= 2 && ext_secret_cnt > 0 && allow_only_tls) {
+      } else if ((packet_len & 0xFF) == 0x16 && ((packet_len >> 8) & 0xFF) == 0x03 && (packet_len >> 24) >= 2 && ext_secret_cnt > 0 && allow_only_tls) {
+        // TLS ClientHello detection: 0x16 (handshake), 0x03 (SSL/TLS version major), any minor version (0x01=TLS1.0, 0x03=TLS1.2/1.3)
+        vkprintf (2, "Detected TLS ClientHello: packet_len=0x%08x, version=0x03%02x\n", packet_len, (packet_len >> 16) & 0xFF);
         unsigned char header[5];
         assert (rwm_fetch_lookup (&c->in, header, 5) == 5);
         min_len = 5 + 256 * header[3] + header[4];