Set unknown_sni_action to mask — fix SNI rejection on v3.3.31+ (#40)

SamNet-dev · SamNet-dev · commit 0299262ababa · 2026-03-26T11:07:55.000-05:00
Since telemt v3.3.31 the default unknown_sni_action changed from mask
to drop, causing the engine to reject connections whose TLS ClientHello
SNI doesn't exactly match tls_domain. This breaks clients that send a
different or cached SNI. Explicitly set unknown_sni_action = "mask" in
the generated config.toml to restore the previous permissive behavior.
diff --git a/mtproxymax.sh b/mtproxymax.sh
@@ -1082,6 +1082,7 @@ client_ack = 90
 
 [censorship]
 tls_domain = "${domain}"
+unknown_sni_action = "mask"
 mask = ${mask_enabled}
 mask_port = ${mask_port}
 $([ "$mask_enabled" = "true" ] && [ -n "$mask_host" ] && echo "mask_host = \"${mask_host}\"")
