From d71952d81fc996c60d2b540425a77c9db3af76df Mon Sep 17 00:00:00 2001
From: dyhkwong <50692134+dyhkwong@users.noreply.github.com>
Date: Mon, 21 Jul 2025 19:22:43 +0800
Subject: [PATCH] Fix disable_sni not working with custom RootCAs

---
 common/tls/std_client.go  | 2 ++
 common/tls/utls_client.go | 9 +++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/common/tls/std_client.go b/common/tls/std_client.go
index 0705d949..2a77ed0c 100644
--- a/common/tls/std_client.go
+++ b/common/tls/std_client.go
@@ -86,6 +86,8 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		tlsConfig.InsecureSkipVerify = true
 		tlsConfig.VerifyConnection = func(state tls.ConnectionState) error {
 			verifyOptions := x509.VerifyOptions{
+				Roots:         tlsConfig.RootCAs,
+				CurrentTime:   tlsConfig.Time(),
 				DNSName:       serverName,
 				Intermediates: x509.NewCertPool(),
 			}
diff --git a/common/tls/utls_client.go b/common/tls/utls_client.go
index 6ed81eb4..f897e65c 100644
--- a/common/tls/utls_client.go
+++ b/common/tls/utls_client.go
@@ -145,11 +145,16 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 	var tlsConfig utls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
-	tlsConfig.ServerName = serverName
+	if !options.DisableSNI {
+		tlsConfig.ServerName = serverName
+	}
 	if options.Insecure {
 		tlsConfig.InsecureSkipVerify = options.Insecure
 	} else if options.DisableSNI {
-		return nil, E.New("disable_sni is unsupported in uTLS")
+		if options.Reality != nil && options.Reality.Enabled {
+			return nil, E.New("disable_sni is unsupported in reality")
+		}
+		tlsConfig.InsecureServerNameToVerify = serverName
 	}
 	if len(options.ALPN) > 0 {
 		tlsConfig.NextProtos = options.ALPN