Previously, HandleClientHello rejected non-TLS (non-0x16) and DTLS records,
causing Discord voice chat CONNECT tunnels to be silently dropped.
- Non-TLS data: written through unchanged (passthrough)
- DTLS records (version 0xFE): parsed with full 13-byte header, fragmented
with the same split/write logic used for TLS ClientHello
Fixes Discord voice 'DTLS connecting' stuck state behind ihtc proxy.
The test expected client.Get() to return a transport-level error for
unreachable targets, but the proxy converts dial errors into HTTP 502
responses. On x86_64-linux the kernel returns EHOSTUNREACH immediately,
the proxy returns 502, and err == nil. On macOS the 5s client timeout
fires first, giving a context error (passing by accident).
Also add Nix CI workflow building on all 4 supported platforms.
Replace the dummy TLS record injection mechanism with a minimum chunk count
approach. Instead of prepending fake TLS records before the ClientHello, the
new approach ensures the ClientHello itself is split into at least --refrag
chunks, which is more effective and idiomatic.
- Default --refrag changed from 1 to 0 (disabled)
- Removed buildDummyRecords() and the associated dummy record injection
- Added splitRange() helper function
- Split() now enforces a minimum chunk count via re-splitting when needed
