Fix TLS fingerprint detection in MTProto proxy ClientHello#1949
Open
reyohoho wants to merge 1 commit into
Open
Fix TLS fingerprint detection in MTProto proxy ClientHello#1949reyohoho wants to merge 1 commit into
reyohoho wants to merge 1 commit into
Conversation
Replace extension type 0xfe02 with 0xfe0d (ECH draft identifier) and increase random data length from 20 to 32 bytes in TlsHello. These two values were causing TSPU (Russian DPI) to identify MTProto Fake-TLS proxy traffic via JA3/JA4 fingerprinting as TELEGRAM_TLS and block it since April 1, 2026. Inspired by telegramdesktop/tdesktop#30513 and commit 407bf19. Tested and confirmed working with MTProto Fake-TLS proxies on networks with active DPI filtering. Made-with: Cursor
dginorg
approved these changes
Apr 3, 2026
|
Originally posted by @dginorg in #617
|
2 tasks
|
Hello @Arseny271, please upgrade to latest version. Thank you 🙏 |
|
Why is this critical fix still in beta? It was confirmed working in first hours. |
|
Pavel and team, stop write about AI. Help us! Actual both for Android & iOS! |
|
Fixed in 009e973 |
|
Awesome, thanks, mtproxy start working again. Waiting it for iOS ❤️ hope to get it soon |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes MTProto Fake-TLS proxy detection by Russian DPI systems (TSPU/VAS Expert/RDP-Ru).
Two changes in
TMessagesProj/jni/tgnet/ConnectionSocket.cpp(theTlsHellostructure):Op::string("\xfe\x02", 2)→Op::string("\xfe\x0d", 2)Extension type
0xfe02is not a valid TLS extension and was listed in the TSPU fingerprint database asTELEGRAM_TLS. Replaced with0xfe0d(ECH draft-era identifier) to match a real ClientHello structure.Op::random(20)→Op::random(32)Random key data length increased from 20 to 32 bytes to match the standard X25519 key share size in TLS 1.3.
Motivation
Since April 1, 2026, TSPU (Russian state DPI, VAS Expert / RDP-Ru vendors) added
TELEGRAM_TLSsignature based on the old JA3/JA4 fingerprint of the MTProto Fake-TLS ClientHello. This caused mass blocking of MTProto proxy connections for users in Russia.This is the Android equivalent of the fix accepted into Telegram Desktop:
→ telegramdesktop/tdesktop@407bf19 (inspired by telegramdesktop/tdesktop#30513)
John Preston confirmed in that PR:
Testing