Telegram-iOS icon indicating copy to clipboard operation
Telegram-iOS copied to clipboard
Published 1 month ago verified publisher icon TelegramMessenger

MTProto does not send TLS SNI since 12.2

Open cyyself opened this issue 1 month ago • 6 comments

  • [x] I am reporting an issue in existing functionality that does not work as intended
  • [x] I've searched for existing GitHub issues

Description

After upgrading from 12.1.1 to 12.2, MTProto no longer sends TLS SNI, which breaks my own proxy setup. I discovered this since my HAProxy SNI fronted MTG server stopped working for the new version of Telegram since 12.2. And using Wireshark to inspect the packet found that no SNI during the TLS handshake now.

Expected Behavior

Should include SNI during handshake.

Actual Behavior

No SNI during TLS Client Hello.

Steps to Reproduce

  1. Follow the readme in mtg to set up an MTProto server. When executing mtg generate-secret example.com, the example.com should be the SNI in TLS Client Hello.
  2. Run the Telegram App on macOS, set the MTProto proxy to MTG.
  3. Using Wireshark to inspect the TLS Client Hello, and found that no SNI.

Environment

Device: iPhone 17 Pro

iOS version: 26.1

App version: 12.2

cyyself avatar Nov 20 '25 17:11 cyyself

Perhaps related to https://github.com/TelegramMessenger/Telegram-iOS/commit/5145b9e605511ad719b6d7fd28abd49b0bcbdd05, as it modifies submodules/MtProtoKit/Sources/MTTcpConnection.m.

cyyself avatar Nov 20 '25 18:11 cyyself

Same

bzdk avatar Nov 21 '25 06:11 bzdk

Same, empty SNI in haproxy logs

@cyyself Current workaround is to use the default backend in haproxy. However, the traffic without SNI is visible to censorship and can be blocked or throttled.

Master-Yoba avatar Dec 08 '25 09:12 Master-Yoba

same

zhkl0228 avatar Dec 13 '25 06:12 zhkl0228