Improve connection timeout

common/dialer/default.go

@@ -59,6 +59,8 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 	}
 	if options.ConnectTimeout != 0 {
 		dialer.Timeout = time.Duration(options.ConnectTimeout)
+	} else {
+		dialer.Timeout = C.DefaultTCPTimeout
 	}
 	return &DefaultDialer{tfo.Dialer{Dialer: dialer, DisableTFO: !options.TCPFastOpen}, listener}
 }

common/dialer/dialer.go

@@ -6,7 +6,6 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing/common"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -24,8 +23,5 @@ func NewOutbound(router adapter.Router, options option.OutboundDialerOptions) N.
 	if domainStrategy != dns.DomainStrategyAsIS || options.Detour == "" {
 		dialer = NewResolveDialer(router, dialer, domainStrategy, time.Duration(options.FallbackDelay))
 	}
-	if options.OverrideOptions.IsValid() {
-		dialer = NewOverride(dialer, common.PtrValueOrDefault(options.OverrideOptions))
-	}
 	return dialer
 }

common/dialer/override.go

@@ -1,69 +0,0 @@
-package dialer
-
-import (
-	"context"
-	"crypto/tls"
-	"net"
-
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/option"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/uot"
-)
-
-var _ N.Dialer = (*OverrideDialer)(nil)
-
-type OverrideDialer struct {
-	upstream   N.Dialer
-	tlsEnabled bool
-	tlsConfig  tls.Config
-	uotEnabled bool
-}
-
-func NewOverride(upstream N.Dialer, options option.OverrideStreamOptions) N.Dialer {
-	return &OverrideDialer{
-		upstream,
-		options.TLS,
-		tls.Config{
-			ServerName:         options.TLSServerName,
-			InsecureSkipVerify: options.TLSInsecure,
-		},
-		options.UDPOverTCP,
-	}
-}
-
-func (d *OverrideDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	switch network {
-	case C.NetworkTCP:
-		conn, err := d.upstream.DialContext(ctx, C.NetworkTCP, destination)
-		if err != nil {
-			return nil, err
-		}
-		return tls.Client(conn, &d.tlsConfig), nil
-	case C.NetworkUDP:
-		if d.uotEnabled {
-			tcpConn, err := d.upstream.DialContext(ctx, C.NetworkTCP, destination)
-			if err != nil {
-				return nil, err
-			}
-			return uot.NewClientConn(tcpConn), nil
-		}
-	}
-	return d.upstream.DialContext(ctx, network, destination)
-}
-
-func (d *OverrideDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	if d.uotEnabled {
-		tcpConn, err := d.upstream.DialContext(ctx, C.NetworkTCP, destination)
-		if err != nil {
-			return nil, err
-		}
-		return uot.NewClientConn(tcpConn), nil
-	}
-	return d.upstream.ListenPacket(ctx, destination)
-}
-
-func (d *OverrideDialer) Upstream() any {
-	return d.upstream
-}

common/dialer/tls.go

@@ -0,0 +1,86 @@
+package dialer
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"net"
+	"net/netip"
+	"os"
+
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type TLSDialer struct {
+	dialer N.Dialer
+	config *tls.Config
+}
+
+func NewTLS(dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
+	if !options.Enabled {
+		return dialer, nil
+	}
+
+	var serverName string
+	if options.ServerName != "" {
+		serverName = options.ServerName
+	} else if serverAddress != "" {
+		if _, err := netip.ParseAddr(serverName); err != nil {
+			serverName = serverAddress
+		}
+	}
+	if serverName == "" && options.Insecure {
+		return nil, E.New("missing server_name or insecure=true")
+	}
+
+	var tlsConfig tls.Config
+	if options.DisableSNI {
+		tlsConfig.ServerName = "127.0.0.1"
+	} else {
+		tlsConfig.ServerName = serverName
+	}
+	if options.Insecure {
+		tlsConfig.InsecureSkipVerify = options.Insecure
+	} else if options.DisableSNI {
+		tlsConfig.InsecureSkipVerify = true
+		tlsConfig.VerifyConnection = func(state tls.ConnectionState) error {
+			verifyOptions := x509.VerifyOptions{
+				DNSName:       serverName,
+				Intermediates: x509.NewCertPool(),
+			}
+			for _, cert := range state.PeerCertificates[1:] {
+				verifyOptions.Intermediates.AddCert(cert)
+			}
+			_, err := state.PeerCertificates[0].Verify(verifyOptions)
+			return err
+		}
+	}
+
+	return &TLSDialer{
+		dialer: dialer,
+		config: &tlsConfig,
+	}, nil
+}
+
+func (d *TLSDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	if network != C.NetworkTCP {
+		return nil, os.ErrInvalid
+	}
+	conn, err := d.dialer.DialContext(ctx, network, destination)
+	if err != nil {
+		return nil, err
+	}
+	tlsConn := tls.Client(conn, d.config)
+	ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTCPTimeout)
+	defer cancel()
+	err = tlsConn.HandshakeContext(ctx)
+	return tlsConn, err
+}
+
+func (d *TLSDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	return nil, os.ErrInvalid
+}

common/sniff/sniff.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
 )
@@ -19,7 +20,7 @@ type (
 )
 
 func PeekStream(ctx context.Context, conn net.Conn, buffer *buf.Buffer, sniffers ...StreamSniffer) (*adapter.InboundContext, error) {
-	err := conn.SetReadDeadline(time.Now().Add(300 * time.Millisecond))
+	err := conn.SetReadDeadline(time.Now().Add(C.ReadPayloadTimeout))
 	if err != nil {
 		return nil, err
 	}