@ -350,6 +351,8 @@ It's possible to use TLS Client Hello with any fingerprint and any SNI.
* `dupsid`. Copy `session ID` from original TLS Client Hello. Takes precedence over `rnd`. Applied on every request.
* `sni=<sni>`. Set specified SNI value. Changes TLS fake length, fixes lengths in TLS structure. Applied once at startup before `rndsni`.
* `padencap`. Padding extension is extended by original TLS Client Hello size (including multi packet variation with kyber). Padding extension is added to the end if not present, otherwise it must be the last extension. All lengths are increased. Fake size is not changed. Can be useful if DPI does not analyze sequence numbers properly. Applied on every request.
* `altsni`. Replaces SNI in fake TLS Client Hello with a randomly selected domain from a predefined pool of domains. The domain pool is specified using the `--dpi-desync-fake-tls-altsni` parameter and can be provided as a comma-separated list of domains or loaded from a file (with @ prefix). The file should contain one domain per line, with # at the beginning of a line indicating a comment. Each domain size must not exceed 127 bytes. The total length of the TLS fake and the lengths in the TLS Client Hello structure are adjusted according to the size of the selected domain. Applied on every request. Can be combined with the `dupip` modifier - in this case, the SNI selection is made from a combined pool of altsni domains and the destination IP address. Requires a valid TLS Client Hello fake with SNI extension to work correctly.
* `dupip`. Replaces SNI in fake TLS Client Hello with the destination server's IP address converted to text form (e.g., "192.0.2.1" or "2001:db8::1"). This modifier allows creating fake packets with SNI matching the actual IP address, which can mislead DPI. The total length of the TLS fake and the lengths in the TLS Client Hello structure are adjusted according to the IP address length. Applied on every request. Can be combined with the `altsni` modifier - in this case, the IP address is added to the pool of possible SNI values along with the altsni domain list, and the selection is made randomly from the combined pool. Requires a valid TLS Client Hello fake with SNI extension to work correctly.
By default if custom fake is not defined `rnd,rndsni,dupsid` mods are applied. If defined - `none`.
This behaviour is compatible with previous versions with addition of `dupsid`.
@ -360,7 +363,26 @@ This way it's possible to use different mods for every TLS fake.
If a mod is set to non-TLS fake it causes error. Use `--dpi-desync-fake-tls-mod=none'.
Example : `--dpi-desync-fake-tls=iana_org.bin --dpi-desync-fake-tls-mod=rndsni --dpi-desync-fake-tls=0xaabbccdd --dpi-desync-fake-tls-mod=none'