The Client Hello Handshake Flood results in server disclosure and its blocking.

[dragonfly20004]

I encountered a strange issue with Iranian service providers. Sometimes, a different certificate is sent to the user from GFW (Great Firewall). It can be speculated that this certificate is for eavesdropping on the connection. If "allow insecure" is set to true, this connection becomes completely apparent, and the VPN server gets blocked. This situation does not always occur and may happen in only 1% of the connections. However, if "allow insecure" is set to false, a problem arises where the real browser only sends one Client Hello, and if the user accepts the risk after a few seconds, another Client Hello is sent (a total of 2 Client Hello messages during the connection). However, in Xray, when "allow insecure" is set to false, a large number of Client Hello messages are sent consecutively, and numerous small connections are made to the VPN server. These connections are quickly closed due to "allow insecure" being false, and another connection replaces them. It's exactly a Client Hello flood. This different behavior compared to a regular browser can be exploited for server identification (and maybe exploited, we are mostly speculating here because we don't have access to GFW documentation).

Precautions should be taken in the source code to prevent this Client Hello flood from happening. For example, if faced with such a situation, all connections to that server should be terminated, and no connection should be established within that time window (similar to the behavior of a browser).