From 703b10e4ab3c1be8b5da8db82cfba2b39eca7675 Mon Sep 17 00:00:00 2001
From: SunBK201 <sunbk201gm@gmail.com>
Date: Sat, 1 Nov 2025 00:30:27 +0800
Subject: [PATCH] feat: detect tls handshake

---
 src/internal/rewrite/rewriter.go | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/src/internal/rewrite/rewriter.go b/src/internal/rewrite/rewriter.go
index 486c08e..3041358 100644
--- a/src/internal/rewrite/rewriter.go
+++ b/src/internal/rewrite/rewriter.go
@@ -105,6 +105,11 @@ func (r *Rewriter) ProxyHTTPOrRaw(dst net.Conn, src net.Conn, destAddr string) (
 		io.Copy(dst, reader)
 	}()
 
+	if strings.HasSuffix(destAddr, "443") && isTLSClientHello(reader) {
+		r.cache.Add(destAddr, destAddr)
+		log.LogDebugWithAddr(srcAddr, destAddr, "TLS ClientHello detected")
+		return
+	}
 	isHTTP, err := r.isHTTP(reader)
 	if err != nil {
 		err = fmt.Errorf("isHTTP: %w", err)
@@ -350,3 +355,25 @@ func isWebSocket(header []byte) bool {
 
 	return true
 }
+
+func isTLSClientHello(reader *bufio.Reader) bool {
+	header, err := reader.Peek(3)
+	if err != nil {
+		return false
+	}
+	// TLS record type 0x16 = Handshake
+	if header[0] != 0x16 {
+		return false
+	}
+	// TLS version
+	versionMajor := header[1]
+	versionMinor := header[2]
+	if versionMajor != 0x03 {
+		return false
+	}
+	if versionMinor < 0x01 || versionMinor > 0x04 {
+		return false
+	}
+
+	return true
+}