From 7d70aefa5f2edc23ae36bfc4088d6dca67fd9a4a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 11 Jan 2026 01:05:15 +0000
Subject: [PATCH] Fix Vision SSL errors by not reading encrypted rawInput
 buffer

The issue occurs when switching to direct copy mode - Vision was incorrectly reading from rawInput buffer which contains ENCRYPTED outer TLS/Reality records and merging them with decrypted application data. This caused SSL protocol errors, especially with testpre where pre-established connections may have TLS session tickets or other post-handshake messages in rawInput.

The fix: Only read from input buffer (decrypted application data), skip rawInput (encrypted TLS records).

Fixes #4878

Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
---
 proxy/proxy.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/proxy/proxy.go b/proxy/proxy.go
index 29548d9f..c110a038 100644
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -256,13 +256,13 @@ func (w *VisionReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 	}
 
 	if *switchToDirectCopy {
-		// XTLS Vision processes TLS-like conn's input and rawInput
+		// XTLS Vision processes TLS-like conn's input
+		// Only read from input (decrypted application data), not rawInput (encrypted TLS records)
 		if inputBuffer, err := buf.ReadFrom(w.input); err == nil && !inputBuffer.IsEmpty() {
 			buffer, _ = buf.MergeMulti(buffer, inputBuffer)
 		}
-		if rawInputBuffer, err := buf.ReadFrom(w.rawInput); err == nil && !rawInputBuffer.IsEmpty() {
-			buffer, _ = buf.MergeMulti(buffer, rawInputBuffer)
-		}
+		// Do not read from rawInput - it contains encrypted outer TLS records that would corrupt the stream
+		// Just clear the buffers to release memory
 		*w.input = bytes.Reader{} // release memory
 		w.input = nil
 		*w.rawInput = bytes.Buffer{} // release memory