Resolve conflicts

2026-05-14 00:51:12 +03:00 · 2025-08-15 12:56:52 +03:00
parent e22416f0d9 2dcb86941f
commit 93eb435e26
365 changed files with 22978 additions and 4724 deletions
--- a/route/rule/rule_abstract.go
+++ b/route/rule/rule_abstract.go
@@ -51,18 +51,6 @@ func (r *abstractDefaultRule) Close() error {
 	return nil
 }

-func (r *abstractDefaultRule) UpdateGeosite() error {
-	for _, item := range r.allItems {
-		if geositeItem, isSite := item.(*GeositeItem); isSite {
-			err := geositeItem.Update()
-			if err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
 func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
 	if len(r.allItems) == 0 {
 		return true
@@ -173,19 +161,6 @@ func (r *abstractLogicalRule) Type() string {
 	return C.RuleTypeLogical
 }

-func (r *abstractLogicalRule) UpdateGeosite() error {
-	for _, rule := range common.FilterIsInstance(r.rules, func(it adapter.HeadlessRule) (adapter.Rule, bool) {
-		rule, loaded := it.(adapter.Rule)
-		return rule, loaded
-	}) {
-		err := rule.UpdateGeosite()
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 func (r *abstractLogicalRule) Start() error {
 	for _, rule := range common.FilterIsInstance(r.rules, func(it adapter.HeadlessRule) (interface {
 		Start() error
--- a/route/rule/rule_action.go
+++ b/route/rule/rule_action.go
@@ -14,7 +14,6 @@ import (
 	"github.com/sagernet/sing-box/common/sniff"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -22,6 +21,8 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+
+	"github.com/miekg/dns"
 )

 func NewRuleAction(ctx context.Context, logger logger.ContextLogger, action option.RuleAction) (adapter.RuleAction, error) {
@@ -39,6 +40,9 @@ func NewRuleAction(ctx context.Context, logger logger.ContextLogger, action opti
 				FallbackDelay:             time.Duration(action.RouteOptions.FallbackDelay),
 				UDPDisableDomainUnmapping: action.RouteOptions.UDPDisableDomainUnmapping,
 				UDPConnect:                action.RouteOptions.UDPConnect,
+				TLSFragment:               action.RouteOptions.TLSFragment,
+				TLSFragmentFallbackDelay:  time.Duration(action.RouteOptions.TLSFragmentFallbackDelay),
+				TLSRecordFragment:         action.RouteOptions.TLSRecordFragment,
 			},
 		}, nil
 	case C.RuleActionTypeRouteOptions:
@@ -50,9 +54,12 @@ func NewRuleAction(ctx context.Context, logger logger.ContextLogger, action opti
 			UDPDisableDomainUnmapping: action.RouteOptionsOptions.UDPDisableDomainUnmapping,
 			UDPConnect:                action.RouteOptionsOptions.UDPConnect,
 			UDPTimeout:                time.Duration(action.RouteOptionsOptions.UDPTimeout),
+			TLSFragment:               action.RouteOptionsOptions.TLSFragment,
+			TLSFragmentFallbackDelay:  time.Duration(action.RouteOptionsOptions.TLSFragmentFallbackDelay),
+			TLSRecordFragment:         action.RouteOptionsOptions.TLSRecordFragment,
 		}, nil
 	case C.RuleActionTypeDirect:
-		directDialer, err := dialer.New(ctx, option.DialerOptions(action.DirectOptions))
+		directDialer, err := dialer.New(ctx, option.DialerOptions(action.DirectOptions), false)
 		if err != nil {
 			return nil, err
 		}
@@ -87,8 +94,11 @@ func NewRuleAction(ctx context.Context, logger logger.ContextLogger, action opti
 		return sniffAction, sniffAction.build()
 	case C.RuleActionTypeResolve:
 		return &RuleActionResolve{
-			Strategy: dns.DomainStrategy(action.ResolveOptions.Strategy),
-			Server:   action.ResolveOptions.Server,
+			Server:       action.ResolveOptions.Server,
+			Strategy:     C.DomainStrategy(action.ResolveOptions.Strategy),
+			DisableCache: action.ResolveOptions.DisableCache,
+			RewriteTTL:   action.ResolveOptions.RewriteTTL,
+			ClientSubnet: action.ResolveOptions.ClientSubnet.Build(netip.Prefix{}),
 		}, nil
 	default:
 		panic(F.ToString("unknown rule action: ", action.Action))
@@ -103,6 +113,7 @@ func NewDNSRuleAction(logger logger.ContextLogger, action option.DNSRuleAction)
 		return &RuleActionDNSRoute{
 			Server: action.RouteOptions.Server,
 			RuleActionDNSRouteOptions: RuleActionDNSRouteOptions{
+				Strategy:     C.DomainStrategy(action.RouteOptions.Strategy),
 				DisableCache: action.RouteOptions.DisableCache,
 				RewriteTTL:   action.RouteOptions.RewriteTTL,
 				ClientSubnet: netip.Prefix(common.PtrValueOrDefault(action.RouteOptions.ClientSubnet)),
@@ -110,6 +121,7 @@ func NewDNSRuleAction(logger logger.ContextLogger, action option.DNSRuleAction)
 		}
 	case C.RuleActionTypeRouteOptions:
 		return &RuleActionDNSRouteOptions{
+			Strategy:     C.DomainStrategy(action.RouteOptionsOptions.Strategy),
 			DisableCache: action.RouteOptionsOptions.DisableCache,
 			RewriteTTL:   action.RouteOptionsOptions.RewriteTTL,
 			ClientSubnet: netip.Prefix(common.PtrValueOrDefault(action.RouteOptionsOptions.ClientSubnet)),
@@ -120,6 +132,13 @@ func NewDNSRuleAction(logger logger.ContextLogger, action option.DNSRuleAction)
 			NoDrop: action.RejectOptions.NoDrop,
 			logger: logger,
 		}
+	case C.RuleActionTypePredefined:
+		return &RuleActionPredefined{
+			Rcode:  action.PredefinedOptions.Rcode.Build(),
+			Answer: common.Map(action.PredefinedOptions.Answer, option.DNSRecordOptions.Build),
+			Ns:     common.Map(action.PredefinedOptions.Ns, option.DNSRecordOptions.Build),
+			Extra:  common.Map(action.PredefinedOptions.Extra, option.DNSRecordOptions.Build),
+		}
 	default:
 		panic(F.ToString("unknown rule action: ", action.Action))
 	}
@@ -137,12 +156,7 @@ func (r *RuleActionRoute) Type() string {
 func (r *RuleActionRoute) String() string {
 	var descriptions []string
 	descriptions = append(descriptions, r.Outbound)
-	if r.UDPDisableDomainUnmapping {
-		descriptions = append(descriptions, "udp-disable-domain-unmapping")
-	}
-	if r.UDPConnect {
-		descriptions = append(descriptions, "udp-connect")
-	}
+	descriptions = append(descriptions, r.Descriptions()...)
 	return F.ToString("route(", strings.Join(descriptions, ","), ")")
 }

@@ -157,6 +171,9 @@ type RuleActionRouteOptions struct {
 	UDPDisableDomainUnmapping bool
 	UDPConnect                bool
 	UDPTimeout                time.Duration
+	TLSFragment               bool
+	TLSFragmentFallbackDelay  time.Duration
+	TLSRecordFragment         bool
 }

 func (r *RuleActionRouteOptions) Type() string {
@@ -164,6 +181,10 @@ func (r *RuleActionRouteOptions) Type() string {
 }

 func (r *RuleActionRouteOptions) String() string {
+	return F.ToString("route-options(", strings.Join(r.Descriptions(), ","), ")")
+}
+
+func (r *RuleActionRouteOptions) Descriptions() []string {
 	var descriptions []string
 	if r.OverrideAddress.IsValid() {
 		descriptions = append(descriptions, F.ToString("override-address=", r.OverrideAddress.AddrString()))
@@ -192,7 +213,19 @@ func (r *RuleActionRouteOptions) String() string {
 	if r.UDPConnect {
 		descriptions = append(descriptions, "udp-connect")
 	}
-	return F.ToString("route-options(", strings.Join(descriptions, ","), ")")
+	if r.UDPTimeout > 0 {
+		descriptions = append(descriptions, "udp-timeout")
+	}
+	if r.TLSFragment {
+		descriptions = append(descriptions, "tls-fragment")
+	}
+	if r.TLSFragmentFallbackDelay > 0 {
+		descriptions = append(descriptions, F.ToString("tls-fragment-fallback-delay=", r.TLSFragmentFallbackDelay.String()))
+	}
+	if r.TLSRecordFragment {
+		descriptions = append(descriptions, "tls-record-fragment")
+	}
+	return descriptions
 }

 type RuleActionDNSRoute struct {
@@ -220,6 +253,7 @@ func (r *RuleActionDNSRoute) String() string {
 }

 type RuleActionDNSRouteOptions struct {
+	Strategy     C.DomainStrategy
 	DisableCache bool
 	RewriteTTL   *uint32
 	ClientSubnet netip.Prefix
@@ -368,6 +402,8 @@ func (r *RuleActionSniff) build() error {
 			r.StreamSniffers = append(r.StreamSniffers, sniff.SSH)
 		case C.ProtocolRDP:
 			r.StreamSniffers = append(r.StreamSniffers, sniff.RDP)
+		case C.ProtocolNTP:
+			r.PacketSniffers = append(r.PacketSniffers, sniff.NTP)
 		default:
 			return E.New("unknown sniffer: ", name)
 		}
@@ -388,8 +424,11 @@ func (r *RuleActionSniff) String() string {
 }

 type RuleActionResolve struct {
-	Strategy dns.DomainStrategy
-	Server   string
+	Server       string
+	Strategy     C.DomainStrategy
+	DisableCache bool
+	RewriteTTL   *uint32
+	ClientSubnet netip.Prefix
 }

 func (r *RuleActionResolve) Type() string {
@@ -397,13 +436,74 @@ func (r *RuleActionResolve) Type() string {
 }

 func (r *RuleActionResolve) String() string {
-	if r.Strategy == dns.DomainStrategyAsIS && r.Server == "" {
-		return F.ToString("resolve")
-	} else if r.Strategy != dns.DomainStrategyAsIS && r.Server == "" {
-		return F.ToString("resolve(", option.DomainStrategy(r.Strategy).String(), ")")
-	} else if r.Strategy == dns.DomainStrategyAsIS && r.Server != "" {
-		return F.ToString("resolve(", r.Server, ")")
+	var options []string
+	if r.Server != "" {
+		options = append(options, r.Server)
+	}
+	if r.Strategy != C.DomainStrategyAsIS {
+		options = append(options, F.ToString(option.DomainStrategy(r.Strategy)))
+	}
+	if r.DisableCache {
+		options = append(options, "disable_cache")
+	}
+	if r.RewriteTTL != nil {
+		options = append(options, F.ToString("rewrite_ttl=", *r.RewriteTTL))
+	}
+	if r.ClientSubnet.IsValid() {
+		options = append(options, F.ToString("client_subnet=", r.ClientSubnet))
+	}
+	if len(options) == 0 {
+		return "resolve"
 	} else {
-		return F.ToString("resolve(", option.DomainStrategy(r.Strategy).String(), ",", r.Server, ")")
+		return F.ToString("resolve(", strings.Join(options, ","), ")")
 	}
 }
+
+type RuleActionPredefined struct {
+	Rcode  int
+	Answer []dns.RR
+	Ns     []dns.RR
+	Extra  []dns.RR
+}
+
+func (r *RuleActionPredefined) Type() string {
+	return C.RuleActionTypePredefined
+}
+
+func (r *RuleActionPredefined) String() string {
+	var options []string
+	options = append(options, dns.RcodeToString[r.Rcode])
+	options = append(options, common.Map(r.Answer, dns.RR.String)...)
+	options = append(options, common.Map(r.Ns, dns.RR.String)...)
+	options = append(options, common.Map(r.Extra, dns.RR.String)...)
+	return F.ToString("predefined(", strings.Join(options, ","), ")")
+}
+
+func (r *RuleActionPredefined) Response(request *dns.Msg) *dns.Msg {
+	return &dns.Msg{
+		MsgHdr: dns.MsgHdr{
+			Id:                 request.Id,
+			Response:           true,
+			Authoritative:      true,
+			RecursionDesired:   true,
+			RecursionAvailable: true,
+			Rcode:              r.Rcode,
+		},
+		Question: request.Question,
+		Answer:   rewriteRecords(r.Answer, request.Question[0]),
+		Ns:       rewriteRecords(r.Ns, request.Question[0]),
+		Extra:    rewriteRecords(r.Extra, request.Question[0]),
+	}
+}
+
+func rewriteRecords(records []dns.RR, question dns.Question) []dns.RR {
+	return common.Map(records, func(it dns.RR) dns.RR {
+		if strings.HasPrefix(it.Header().Name, "*") {
+			if strings.HasSuffix(question.Name, it.Header().Name[1:]) {
+				it = dns.Copy(it)
+				it.Header().Name = question.Name
+			}
+		}
+		return it
+	})
+}
--- a/route/rule/rule_default.go
+++ b/route/rule/rule_default.go
@@ -123,19 +123,13 @@ func NewDefaultRule(ctx context.Context, logger log.ContextLogger, options optio
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.Geosite) > 0 {
-		item := NewGeositeItem(router, logger, options.Geosite)
-		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
-		rule.allItems = append(rule.allItems, item)
+		return nil, E.New("geosite database is deprecated in sing-box 1.8.0 and removed in sing-box 1.12.0")
 	}
 	if len(options.SourceGeoIP) > 0 {
-		item := NewGeoIPItem(router, logger, true, options.SourceGeoIP)
-		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
-		rule.allItems = append(rule.allItems, item)
+		return nil, E.New("geoip database is deprecated in sing-box 1.8.0 and removed in sing-box 1.12.0")
 	}
 	if len(options.GeoIP) > 0 {
-		item := NewGeoIPItem(router, logger, false, options.GeoIP)
-		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
-		rule.allItems = append(rule.allItems, item)
+		return nil, E.New("geoip database is deprecated in sing-box 1.8.0 and removed in sing-box 1.12.0")
 	}
 	if len(options.SourceIPCIDR) > 0 {
 		item, err := NewIPCIDRItem(true, options.SourceIPCIDR)
--- a/route/rule/rule_dns.go
+++ b/route/rule/rule_dns.go
@@ -114,19 +114,13 @@ func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options op
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.Geosite) > 0 {
-		item := NewGeositeItem(router, logger, options.Geosite)
-		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
-		rule.allItems = append(rule.allItems, item)
+		return nil, E.New("geosite database is deprecated in sing-box 1.8.0 and removed in sing-box 1.12.0")
 	}
 	if len(options.SourceGeoIP) > 0 {
-		item := NewGeoIPItem(router, logger, true, options.SourceGeoIP)
-		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
-		rule.allItems = append(rule.allItems, item)
+		return nil, E.New("geoip database is deprecated in sing-box 1.8.0 and removed in sing-box 1.12.0")
 	}
 	if len(options.GeoIP) > 0 {
-		item := NewGeoIPItem(router, logger, false, options.GeoIP)
-		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
-		rule.allItems = append(rule.allItems, item)
+		return nil, E.New("geoip database is deprecated in sing-box 1.8.0 and removed in sing-box 1.12.0")
 	}
 	if len(options.SourceIPCIDR) > 0 {
 		item, err := NewIPCIDRItem(true, options.SourceIPCIDR)
@@ -154,6 +148,11 @@ func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options op
 		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
 		rule.allItems = append(rule.allItems, item)
 	}
+	if options.IPAcceptAny {
+		item := NewIPAcceptAnyItem()
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
 	if len(options.SourcePort) > 0 {
 		item := NewPortItem(true, options.SourcePort)
 		rule.sourcePortItems = append(rule.sourcePortItems, item)
@@ -224,7 +223,7 @@ func NewDefaultDNSRule(ctx context.Context, logger log.ContextLogger, options op
 		rule.allItems = append(rule.allItems, item)
 	}
 	if len(options.Outbound) > 0 {
-		item := NewOutboundRule(options.Outbound)
+		item := NewOutboundRule(ctx, options.Outbound)
 		rule.items = append(rule.items, item)
 		rule.allItems = append(rule.allItems, item)
 	}
--- a/route/rule/rule_item_geoip.go
+++ b/route/rule/rule_item_geoip.go
@@ -1,98 +0,0 @@
-package rule
-
-import (
-	"net/netip"
-	"strings"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/log"
-	N "github.com/sagernet/sing/common/network"
-)
-
-var _ RuleItem = (*GeoIPItem)(nil)
-
-type GeoIPItem struct {
-	router   adapter.Router
-	logger   log.ContextLogger
-	isSource bool
-	codes    []string
-	codeMap  map[string]bool
-}
-
-func NewGeoIPItem(router adapter.Router, logger log.ContextLogger, isSource bool, codes []string) *GeoIPItem {
-	codeMap := make(map[string]bool)
-	for _, code := range codes {
-		codeMap[code] = true
-	}
-	return &GeoIPItem{
-		router:   router,
-		logger:   logger,
-		codes:    codes,
-		isSource: isSource,
-		codeMap:  codeMap,
-	}
-}
-
-func (r *GeoIPItem) Match(metadata *adapter.InboundContext) bool {
-	var geoipCode string
-	if r.isSource && metadata.SourceGeoIPCode != "" {
-		geoipCode = metadata.SourceGeoIPCode
-	} else if !r.isSource && metadata.GeoIPCode != "" {
-		geoipCode = metadata.GeoIPCode
-	}
-	if geoipCode != "" {
-		return r.codeMap[geoipCode]
-	}
-	var destination netip.Addr
-	if r.isSource {
-		destination = metadata.Source.Addr
-	} else {
-		destination = metadata.Destination.Addr
-	}
-	if destination.IsValid() {
-		return r.match(metadata, destination)
-	}
-	for _, destinationAddress := range metadata.DestinationAddresses {
-		if r.match(metadata, destinationAddress) {
-			return true
-		}
-	}
-	return false
-}
-
-func (r *GeoIPItem) match(metadata *adapter.InboundContext, destination netip.Addr) bool {
-	var geoipCode string
-	geoReader := r.router.GeoIPReader()
-	if !N.IsPublicAddr(destination) {
-		geoipCode = "private"
-	} else if geoReader != nil {
-		geoipCode = geoReader.Lookup(destination)
-	}
-	if geoipCode == "" {
-		return false
-	}
-	if r.isSource {
-		metadata.SourceGeoIPCode = geoipCode
-	} else {
-		metadata.GeoIPCode = geoipCode
-	}
-	return r.codeMap[geoipCode]
-}
-
-func (r *GeoIPItem) String() string {
-	var description string
-	if r.isSource {
-		description = "source_geoip="
-	} else {
-		description = "geoip="
-	}
-	cLen := len(r.codes)
-	if cLen == 1 {
-		description += r.codes[0]
-	} else if cLen > 3 {
-		description += "[" + strings.Join(r.codes[:3], " ") + "...]"
-	} else {
-		description += "[" + strings.Join(r.codes, " ") + "]"
-	}
-	return description
-}
--- a/route/rule/rule_item_geosite.go
+++ b/route/rule/rule_item_geosite.go
@@ -1,61 +0,0 @@
-package rule
-
-import (
-	"strings"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/log"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-var _ RuleItem = (*GeositeItem)(nil)
-
-type GeositeItem struct {
-	router   adapter.Router
-	logger   log.ContextLogger
-	codes    []string
-	matchers []adapter.Rule
-}
-
-func NewGeositeItem(router adapter.Router, logger log.ContextLogger, codes []string) *GeositeItem {
-	return &GeositeItem{
-		router: router,
-		logger: logger,
-		codes:  codes,
-	}
-}
-
-func (r *GeositeItem) Update() error {
-	matchers := make([]adapter.Rule, 0, len(r.codes))
-	for _, code := range r.codes {
-		matcher, err := r.router.LoadGeosite(code)
-		if err != nil {
-			return E.Cause(err, "read geosite")
-		}
-		matchers = append(matchers, matcher)
-	}
-	r.matchers = matchers
-	return nil
-}
-
-func (r *GeositeItem) Match(metadata *adapter.InboundContext) bool {
-	for _, matcher := range r.matchers {
-		if matcher.Match(metadata) {
-			return true
-		}
-	}
-	return false
-}
-
-func (r *GeositeItem) String() string {
-	description := "geosite="
-	cLen := len(r.codes)
-	if cLen == 1 {
-		description += r.codes[0]
-	} else if cLen > 3 {
-		description += "[" + strings.Join(r.codes[:3], " ") + "...]"
-	} else {
-		description += "[" + strings.Join(r.codes, " ") + "]"
-	}
-	return description
-}
--- a/route/rule/rule_item_ip_accept_any.go
+++ b/route/rule/rule_item_ip_accept_any.go
@@ -0,0 +1,21 @@
+package rule
+
+import (
+	"github.com/sagernet/sing-box/adapter"
+)
+
+var _ RuleItem = (*IPAcceptAnyItem)(nil)
+
+type IPAcceptAnyItem struct{}
+
+func NewIPAcceptAnyItem() *IPAcceptAnyItem {
+	return &IPAcceptAnyItem{}
+}
+
+func (r *IPAcceptAnyItem) Match(metadata *adapter.InboundContext) bool {
+	return len(metadata.DestinationAddresses) > 0
+}
+
+func (r *IPAcceptAnyItem) String() string {
+	return "ip_accept_any=true"
+}
--- a/route/rule/rule_item_outbound.go
+++ b/route/rule/rule_item_outbound.go
@@ -1,9 +1,11 @@
 package rule

 import (
+	"context"
 	"strings"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/experimental/deprecated"
 	F "github.com/sagernet/sing/common/format"
 )

@@ -15,7 +17,8 @@ type OutboundItem struct {
 	matchAny    bool
 }

-func NewOutboundRule(outbounds []string) *OutboundItem {
+func NewOutboundRule(ctx context.Context, outbounds []string) *OutboundItem {
+	deprecated.Report(ctx, deprecated.OptionOutboundDNSRuleItem)
 	rule := &OutboundItem{outbounds: outbounds, outboundMap: make(map[string]bool)}
 	for _, outbound := range outbounds {
 		if outbound == "any" {
@@ -28,8 +31,8 @@ func NewOutboundRule(outbounds []string) *OutboundItem {
 }

 func (r *OutboundItem) Match(metadata *adapter.InboundContext) bool {
-	if r.matchAny && metadata.Outbound != "" {
-		return true
+	if r.matchAny {
+		return metadata.Outbound != ""
 	}
 	return r.outboundMap[metadata.Outbound]
 }
--- a/route/rule/rule_set_remote.go
+++ b/route/rule/rule_set_remote.go
@@ -3,6 +3,7 @@ package rule
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"io"
 	"net"
 	"net/http"
@@ -23,6 +24,7 @@ import (
 	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/common/x/list"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/pause"
@@ -238,6 +240,10 @@ func (s *RemoteRuleSet) fetch(ctx context.Context, startContext *adapter.HTTPSta
 				DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 					return s.dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
 				},
+				TLSClientConfig: &tls.Config{
+					Time:    ntp.TimeFuncFromContext(s.ctx),
+					RootCAs: adapter.RootPoolFromContext(s.ctx),
+				},
 			},
 		}
 	}