From b74e0fd35aae9559d2cd3a8f6a307d2d0d2dd70d Mon Sep 17 00:00:00 2001
From: Vladislav Yarmak <vladislav@vm-0.com>
Date: Mon, 22 Sep 2025 19:38:50 +0300
Subject: [PATCH] hide SNI for API calls as well

---
 holaapi.go | 24 +++++++++++++++++++++++-
 main.go    |  1 +
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/holaapi.go b/holaapi.go
index 19ae929..933121e 100644
--- a/holaapi.go
+++ b/holaapi.go
@@ -398,6 +398,12 @@ func UpdateHolaTLSConfig(config *tls.Config) {
 	tlsConfig = config
 }
 
+var hideSNI bool
+
+func SetHideSNI(hide bool) {
+	hideSNI = hide
+}
+
 // Returns default http client with a proxy override
 func httpClientWithProxy(agent *FallbackAgent) *http.Client {
 	t := &http.Transport{
@@ -428,7 +434,23 @@ func httpClientWithProxy(agent *FallbackAgent) *http.Client {
 		if tlsConfig != nil {
 			cfg = *tlsConfig
 		}
-		cfg.ServerName = host
+		if !hideSNI {
+			cfg.ServerName = host
+		} else {
+			cfg.InsecureSkipVerify = true
+			cfg.VerifyConnection = func(cs tls.ConnectionState) error {
+				opts := x509.VerifyOptions{
+					DNSName:       host,
+					Intermediates: x509.NewCertPool(),
+					Roots:         cfg.RootCAs,
+				}
+				for _, cert := range cs.PeerCertificates[1:] {
+					opts.Intermediates.AddCert(cert)
+				}
+				_, err := cs.PeerCertificates[0].Verify(opts)
+				return err
+			}
+		}
 		tlsConn := tls.UClient(conn, &cfg, tls.HelloAndroid_11_OkHttp)
 		if err := tlsConn.HandshakeContext(ctx); err != nil {
 			conn.Close()
diff --git a/main.go b/main.go
index 30d3c93..c2307d1 100644
--- a/main.go
+++ b/main.go
@@ -210,6 +210,7 @@ func run() int {
 			RootCAs: caPool,
 		})
 	}
+	SetHideSNI(args.hideSNI)
 
 	proxyFromURLWrapper := func(u *url.URL, next xproxy.Dialer) (xproxy.Dialer, error) {
 		cdialer, ok := next.(ContextDialer)