Fix disable_sni not working with custom RootCAs

2025-07-22 05:54:07 +08:00 · 2025-07-21 19:22:43 +08:00 · 2025-07-21 19:22:43 +08:00 · d71952d81f
commit d71952d81f
parent 837f6c44c2
2 changed files with 9 additions and 2 deletions
--- a/common/tls/std_client.go
+++ b/common/tls/std_client.go
@ -86,6 +86,8 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		tlsConfig.InsecureSkipVerify = true
 		tlsConfig.VerifyConnection = func(state tls.ConnectionState) error {
 			verifyOptions := x509.VerifyOptions{
+				Roots:         tlsConfig.RootCAs,
+				CurrentTime:   tlsConfig.Time(),
 				DNSName:       serverName,
 				Intermediates: x509.NewCertPool(),
 			}
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@ -145,11 +145,16 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 	var tlsConfig utls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
-	tlsConfig.ServerName = serverName
+	if !options.DisableSNI {
+		tlsConfig.ServerName = serverName
+	}
 	if options.Insecure {
 		tlsConfig.InsecureSkipVerify = options.Insecure
 	} else if options.DisableSNI {
-		return nil, E.New("disable_sni is unsupported in uTLS")
+		if options.Reality != nil && options.Reality.Enabled {
+			return nil, E.New("disable_sni is unsupported in reality")
+		}
+		tlsConfig.InsecureServerNameToVerify = serverName
 	}
 	if len(options.ALPN) > 0 {
 		tlsConfig.NextProtos = options.ALPN