Fix Vision SSL errors by not reading encrypted rawInput buffer

The issue occurs when switching to direct copy mode - Vision was incorrectly reading from rawInput buffer which contains ENCRYPTED outer TLS/Reality records and merging them with decrypted application data. This caused SSL protocol errors, especially with testpre where pre-established connections may have TLS session tickets or other post-handshake messages in rawInput. The fix: Only read from input buffer (decrypted application data), skip rawInput (encrypted TLS records). Fixes #4878 Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
2026-05-08 14:13:22 +00:00 · 2026-01-11 01:05:15 +00:00
parent ca12c4d909
commit 7d70aefa5f
1 changed files with 4 additions and 4 deletions
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -256,13 +256,13 @@ func (w *VisionReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 	}

 	if *switchToDirectCopy {
-		// XTLS Vision processes TLS-like conn's input and rawInput
+		// XTLS Vision processes TLS-like conn's input
+		// Only read from input (decrypted application data), not rawInput (encrypted TLS records)
 		if inputBuffer, err := buf.ReadFrom(w.input); err == nil && !inputBuffer.IsEmpty() {
 			buffer, _ = buf.MergeMulti(buffer, inputBuffer)
 		}
-		if rawInputBuffer, err := buf.ReadFrom(w.rawInput); err == nil && !rawInputBuffer.IsEmpty() {
-			buffer, _ = buf.MergeMulti(buffer, rawInputBuffer)
-		}
+		// Do not read from rawInput - it contains encrypted outer TLS records that would corrupt the stream
+		// Just clear the buffers to release memory
 		*w.input = bytes.Reader{} // release memory
 		w.input = nil
 		*w.rawInput = bytes.Buffer{} // release memory