pub async fn connect_pinned_mimic(
host: String,
port: u16,
pinned_key: Vec<u8>,
sni: String,
) -> Result<Arc<PhantomSession>, CoreError>mimicry and crate feature std and non-WebAssembly only.Expand description
Connect to a pinned server over the TLS-over-TCP active-mimicry transport
(mimicry feature) — the flow looks like an ordinary HTTPS handshake to an
on-path observer, while the real authentication / confidentiality remains the
inner Phantom post-quantum session.
sni is the cover domain presented in the synthetic ClientHello. It is
required and should be rotated per connection and kept plausible for the
server’s IP/AS — a single network-wide default SNI is itself a blocklist key.
The outer TLS is anti-DPI obfuscation only, and is detectable by active
probing. It defeats stateless DPI + passive JA3/JA4 fingerprinting + light
stateful inspection, but a censor that completes a real TLS handshake or
validates a certificate detects it in one round trip — do not use this
where active probing is in the threat model. See docs/security/threat-model.md.
Rust-only and native-only, gated on the mimicry feature.