Network Guide Featured Tags: TLS SNI Clash

Clash "TLS Handshake Timeout" in Logs?Step-by-Step Node, SNI, and Rules Check

When a tab spins, a game disconnects, or an API client retries forever, Clash-family cores often print a blunt line about TLS handshake timeout. That string is easy to misread: it can mean the remote exit hop never answered in time, but it can also mean your flow reached the wrong outbound, carried the wrong Server Name Indication (SNI) for the certificate chain on the other side, tripped over an over-broad sniffer, matched a rule you did not expect, or stalled because local DNS and fake-ip disagree with how the tunnel routes packets. This guide keeps the investigation linear—node tests first, then TLS naming, then policy visibility, then DNS and TUN—so you do not burn an evening swapping subscriptions at random.

Approx. 22 min read
Clash Editorial
Table of Contents

1. What TLS handshake timeout really signals

In plain language, a TLS handshake is the short negotiation where a client and server agree on encryption parameters and (usually) present certificates keyed to a hostname. When Clash or Mihomo logs a TLS handshake timeout, the core is telling you that negotiation did not finish inside its deadline. That is different from an immediate TCP reset, an HTTP 403 from a reverse proxy, or a clean certificate validation error—though in real networks those symptoms blur because applications surface everything as “cannot connect.”

Because Clash sits between your app and the wider internet, the timeout can occur on several distinct legs: between your machine and the local Clash inbound, between Clash and the upstream proxy protocol (for example VMess, VLESS, or Trojan), between that upstream and the final origin, or even between Clash’s own DNS layer and the resolver it uses to bootstrap connections. Treat the log line as a symptom bucket, not a verdict that “the node is bad.” Your job is to learn which hop starved for replies.

Start every investigation by capturing one failing flow end to end. Note the destination hostname, the outbound name Clash chose (if visible), whether the path used TUN or system proxy, and whether fake-ip was active. Export or screenshot the surrounding log lines—many GUIs collapse details unless you raise the log level. If you also see DNS anomalies or repeated rule flips in the same second, keep those lines attached; they often explain a TLS timeout that is really a routing loop or a wrong IP rather than slow wire RTT.

This article complements our fake-ip and DNS troubleshooting guide, which focuses on placeholder addresses and resolver chains. Here the emphasis is the exact error string people search for—TLS handshake timeout—and how to separate it from unrelated disconnects.

2. Proxy node quality and latency tests

When users see TLS timeouts, the first reflex is to blame the exit node. Sometimes that reflex is correct: congested relays, oversubscribed ports, or datacenters that throttle long-lived TLS sessions do produce handshake stalls. The mistake is stopping there without a controlled test. Before you rewrite YAML, prove whether the same hostname and rule path succeed on a different outbound while everything else stays identical.

Use your client’s latency test or health check as a coarse filter only. ICMP or short TCP probes to a benchmark host are not the same as completing a full TLS handshake to the domain you care about. Prefer a test that actually opens https:// to a stable target through each candidate node, or temporarily bind the failing domain’s rule to a single outbound and retry in a tight loop. If failures hop between nodes with no pattern, suspect configuration; if only one region or provider fails, suspect capacity or blocking.

Another high-signal experiment is to send the same traffic through DIRECT while Clash still handles DNS, or briefly bypass Clash entirely on a second device on the same LAN. If DIRECT also stalls on TLS to the same hostname, the issue may be upstream of your proxy stack—ISP middleboxes, regional filtering, or the site itself. If DIRECT works while proxied paths time out, keep digging on proxy protocol settings, UDP vs TCP expectations, and whether the subscription mixed incompatible transport options.

Document RTT, loss, and time-of-day. Intermittent TLS timeouts that correlate with peak hours often track congestion, while timeouts that correlate with specific apps usually track SNI, certificate pinning, or split rules rather than raw ping. For long-running developer workflows—large Git clones, container pulls, or AI APIs—also compare against our Cursor and GitHub timeout guide, which stresses ordered rules and stable exits for bursty HTTPS.

Tip: Change one variable per experiment. If you simultaneously switch nodes, disable the sniffer, and edit DNS, you will not know which move mattered when the symptom vanishes.

3. SNI, certificates, and TLS naming

Modern HTTPS puts the intended hostname in the ClientHello as the Server Name Indication (SNI) extension. Middleboxes, CDNs, and shared hosting rely on that string to pick the correct certificate chain. When Clash forwards TLS on behalf of an application, any mismatch between the SNI your client sends and the certificate the far side presents can stall or reset the session. Some cores log that plainly; others collapse the story into a generic TLS handshake timeout when the peer never sends a coherent ServerHello.

Watch for flows where the application uses one hostname internally but the TLS layer shows another—common with captive portals, enterprise proxies, or misconfigured HTTP Host versus CONNECT authority. If you route a CONNECT tunnel to an exit that expects a different naming convention, you may wait until the timer expires. Compare the browser’s address bar, DevTools Security panel, and Clash’s verbose TLS logs (wording varies by build) to ensure the name you think you are visiting is the name actually carried on the wire.

Certificate issues deserve their own bucket. A hard trust failure often logs differently, but partial chains, missing intermediates, or OCSP reachability problems can still present as stalls on strict clients. If only one operating system profile breaks while another on the same machine succeeds, compare trust stores and whether a corporate root was pushed through MDM. Clash cannot fix upstream certificate misconfiguration; it can only expose it once you separate proxy effects from origin effects using the DIRECT tests in the previous section.

Quick checks

  • Does the failure reproduce on plain HTTPS in a mainstream browser and in curl -v through the same outbound?
  • Does disabling QUIC in the browser (forcing TCP TLS over 443) change behavior? Some stacks time out one path while the other works.
  • Are you mixing domain-based rules with an outbound that expects IP literals, or vice versa, so policy sends the flow to a hop that cannot complete the expected handshake?
Note: Do not disable certificate validation globally as a “fix.” If a site truly requires an unusual chain, import the proper trust material or fix the server configuration instead of weakening your client.

4. Sniffer scope and side effects

The sniffer module in Clash-family cores reconstructs hostnames from encrypted traffic—most often by reading SNI from the TLS ClientHello—so domain-based rules still work when applications hide the HTTP layer or when fake-ip obscures earlier DNS answers. That visibility is invaluable for split routing, but it is also a common amplifier of TLS handshake timeout confusion. When sniffing is too broad, every flow pays parsing cost; when it disagrees with how an app expects its TLS stream to look, some stacks simply wait until timers fire.

Run a deliberate A/B test: disable or narrow sniffing for the failing destination class only, reload the core, and retry. If timeouts vanish immediately, you have a strong signal to tighten sniff overrides—limit protocols, ports, or source interfaces rather than turning the feature off globally. Many GUIs expose “sniff only for TUN” or similar toggles; align those with how the app actually sends traffic. After changes, restart helper services so old sniff hooks do not linger.

Combine sniff debugging with the SNI checks in section 3. If logs show the sniffer rewriting metadata used for routing while the remote server still expects the original client fingerprint, you can end up with half-open handshakes that never complete. Some mobile tethering paths and hotel captive portals also behave poorly when extra inspection sits on top of already fragile MTU. Treat sniff-related regressions as compatibility tuning, not as proof that your subscription is fraudulent.

For apps with custom TLS (banking, games, certain chat clients), compare against a mainstream browser hitting the same hostname through the same outbound. Divergent behavior usually means the proprietary stack interacts badly with sniff metadata or certificate pinning—narrow sniffing or exclude that process before you blame the exit node.

5. Rule hits and outbound selection

Clash chooses an outbound after evaluating your rules in order. When people chase TLS timeouts, they often stare at the proxy hop while the real bug is an earlier MATCH line sending traffic to a pool that cannot reach the destination, or a GEOIP rule that mis-classifies addresses after DNS drift. You need explicit visibility into which rule matched for the failing connection.

Turn up logging according to your GUI or YAML so each new flow prints the rule name or index, the chosen outbound, and the destination. If your build supports tracing a single domain, use that to avoid drowning in noise. Compare what you expected—perhaps “AI sites go to Provider A”—with what actually matched when the timeout occurred. Pay special attention to PROCESS-NAME, DOMAIN-KEYWORD, and broad IP-CIDR matches that accidentally scoop TLS to the wrong exit.

Ordering matters more than size. A short, well-commented rules: section that you can read top-to-bottom beats a ten-thousand-line paste where nobody knows which line fires first. When debugging TLS, temporarily insert a narrow DOMAIN-SUFFIX rule for the failing hostname above noisy catch-alls, bind it to a single outbound you trust, and reload. If the timeout disappears, the problem was policy placement, not wire-level loss. If it persists, return to node and SNI checks with confidence.

Log or UI clue Likely next step
Rule hit jumps between DIRECT and a proxy Stabilize DNS answers and GEOIP inputs; confirm fake-ip is not feeding different IPs to the classifier between attempts
Always the same outbound, many domains fail Test that outbound alone; verify transport (TLS reality, WebSocket path, multiplexing) matches what the subscription author intended
Only one app shows TLS timeouts Inspect PROCESS-NAME rules, local bypass lists, and whether the app ignores system proxy and needs TUN

6. DNS, fake-ip, and resolver alignment

DNS is not “after TLS,” yet it shapes TLS outcomes. If resolution returns an address blocklisted on your exit, points to a geo-steering edge your node cannot reach, or oscillates between answers on each query, the handshake may never converge even though the proxy itself is healthy. Under fake-ip, applications sometimes see synthetic addresses while the core resolves differently later; when those layers disagree, you can observe bizarre TLS stalls that look like random node failure.

Walk resolver reachability first: can your configured DoH or UDP upstream answer from the network you are on? Then review nameserver-policy, fallback, and fallback-filter for over-aggressive filtering copied from old templates. If domestic and international traffic split across resolvers, keep those policies aligned with your rules: expectations so GEOIP and domain rules see consistent geography.

When symptoms cluster around “only some domains” or “only with fake-ip enabled,” return to the dedicated fake-ip and DNS guide for fake-ip-filter lists and resolver order. For WSL or hybrid Windows setups where localhost forwarding interacts with Clash DNS, see WSL2 and localhost DNS so terminal traffic and browser traffic resolve through the same intentional path.

# Illustrative dns block — confirm keys against your core version
dns:
  enable: true
  enhanced-mode: fake-ip
  nameserver:
    - https://dns.example/dns-query
  nameserver-policy:
    "geosite:cn": https://doh.cn.example/query
  fallback:
    - tls://dot.example:853
  fallback-filter:
    geoip: true
    geoip-code: CN

After any DNS edit, flush local caches where applicable and restart the core so you are not chasing stale answers. Log both the question name and the answer for the failing hostname during one timeout window; that pair usually tells you whether to fix resolver policy or TLS naming.

7. TUN, system proxy, and stacked VPNs

TUN mode captures traffic at the OS routing layer, while system proxy relies on applications honoring PAC or manual proxy settings. TLS timeouts that appear only under one mode usually mean the other path was never correctly configured—not that the remote site changed overnight. Before you tune TLS knobs, confirm the failing app actually traverses the mode you think: many games and CLIs ignore system proxy and need TUN, while some browsers use their own secure DNS that bypasses Clash unless explicitly integrated.

TUN plus fake-ip can create subtle ordering bugs where DNS hijack, route exclusions, and bypass lists interact. Symptoms mimic pure proxy failure—tabs hang, APIs retry—but the fix is often a missing bypass for a local subnet or a circular dependency where Clash tries to resolve through itself. Walk through Clash TUN on Windows: routing and firewall to validate the tunnel, adapter metrics, and Windows Defender rules before you assume the exit node is slow.

Stacked VPNs and filters multiply failure modes. A corporate AnyConnect profile, another “game booster,” or a browser extension that injects its own certificate may coexist with Clash only on certain Wi-Fi networks. When TLS timeouts correlate with “VPN inside VPN,” reduce to one active forwarder, retest the handshake, then reintroduce each layer with logging so you know which component re-broke the path.

Keep a short personal runbook: for each stubborn hostname record the working combination of TUN vs proxy, sniff on/off, fake-ip vs redir-host, and which outbound finally succeeded. Subscription merges and GUI upgrades will otherwise erase tribal knowledge and send you back to square one.

8. Summary

TLS handshake timeout in Clash logs is a bucket, not a diagnosis. Treat it as a prompt to walk nodes → SNI and certificates → sniffer scope → rule hits → DNS and fake-ip → TUN and stacked VPNs in that order, changing one variable per experiment. Compared with all-in-one “accelerators,” Clash and Mihomo give you transparent logs and ordered rules so you can see why a flow took a path—once you raise logging and stop toggling five knobs at once.

Pair this checklist with the focused articles above when your issue is clearly DNS-heavy or TUN-heavy, and use our configuration documentation as the canonical reference while you tune YAML. Day-to-day installs stay simplest when you keep GUI packages aligned through the official download channel rather than scattered mirrors.

When a message only appears on one core revision, compare release notes and issues in the upstream Mihomo (Meta) repository on GitHub—that is the right place for protocol-level bug reports—while still fetching end-user builds from the Clash download page linked below.

The Mihomo / Meta ecosystem moves quickly; pinning a known-good release and documenting the profile that finally stabilized TLS for your workloads beats chasing nightly builds every time a handshake timer fires.

Download Clash for free and experience the difference