FINDING · DEFENSE
AnyTLS implements a persistent idle-session pool with configurable parameters: idle_session_check_interval (default 30s), idle_session_timeout (default 30s), and min_idle_session (default 5). The client maintains at least 5 pre-established TLS sessions at all times to enable fast connection reuse without a new TLS handshake per request.
From 2026-anon-anytls-anytls-sing-box-2026 — AnyTLS协议是什么?AnyTLS原理、sing-box部署与客户端配置完整指南(2026) | 二毛 · §2.4, §5.3 · 2026 · ermao.net (Chinese-language circumvention blog)
Implications
- Maintaining a pool of idle pre-authenticated TLS sessions eliminates the per-request handshake burst that distinguishes proxy protocols from browser TLS — set min_idle_session ≥ 5 to ensure the connection pattern resembles persistent HTTP/2 keep-alive traffic.
- The idle_session_timeout should be tuned to the expected censor observation window; very short timeouts (< 30s) cause frequent reconnects that may trigger anomaly detection, while very long timeouts waste server resources.
Tags
Extracted by claude-sonnet-4-6 — review before relying.