[Bug] SSL Handshake fails with DPI tools (Byedpi) on Android 9 due to System Conscrypt incompatibility #2094
Description
Checklist
- I make sure that the issue is NOT a duplicate of pinned issues
- I make sure I am using the LATEST version - check here
- I understand that issues with limited impact, such as those occurring on specific devices or under specific network conditions, will not be fixed
- I have attached the error report in the issue
Describe the bug
I encountered a critical connectivity issue when using the app in conjunction with DPI bypass tools (specifically Byedpi). The app fails to establish a connection to YouTube servers, throwing an SSLHandshakeException, while other apps (like browsers) work fine under the same network conditions.
Frequency
Always (100% of the time)
Device
No response
Steps to reproduce the bug
- Set up a DPI bypass tool Byebyedpi https://github.com/romanvht/ByeByeDPI on the device.
- Try to load content in the app (NewPipe fork).
- Observe the connection failure.
Additional context
The error log indicates a specific failure during the TLS handshake:
javax.net.ssl.SSLHandshakeException: SSL handshake aborted: ssl=... I/O error during system call, Connection reset by peer
Through testing, I found that this issue is specific to the System Conscrypt implementation used by default in the app. The system's TLS library generates a handshake packet structure that, when processed by Byedpi's packet manipulation/fragmentation, is rejected by YouTube servers (likely due to TLS fingerprinting mismatch or malformed records).
I confirmed this by testing the BravePipe_conscrypt build. That version successfully bypasses this issue. The key difference is that BravePipe uses a bundled (embedded) version of the Conscrypt library rather than relying on the Android system's outdated implementation.
This problem seems particularly acute on Android 9. The system security provider (com.android.org.conscrypt) on this API level generates a TLS signature that conflicts with modern DPI manipulation techniques used by tools like Byebyedpi. Since YouTube aggressively checks TLS fingerprints, the combination of System Conscrypt + DPI manipulation triggers a connection reset.
Please consider implementing an option or a build variant that uses a bundled (embedded) Conscrypt library (similar to the approach used by BravePipe). This would update the TLS implementation independently of the OS, fixing compatibility with DPI tools and likely improving stability on older Android versions.
The BravePipe_conscrypt variant works correctly in this exact scenario, proving that updating the TLS library resolves the conflict with DPI tools.