From 1c34578c363c7ba329d7d1b865b56d0eab216c05 Mon Sep 17 00:00:00 2001
From: Philipp Kunz <code@philkunz.com>
Date: Sun, 16 Mar 2025 14:02:18 +0000
Subject: [PATCH] fix(ConnectionHandler/tls): Change the TLS alert sent when a
 ClientHello lacks SNI: use the close_notify alert instead of
 handshake_failure to prompt immediate retry with SNI.

---
 changelog.md                       |  6 ++++++
 ts/00_commitinfo_data.ts           |  2 +-
 ts/classes.pp.connectionhandler.ts | 12 +++++++++++-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/changelog.md b/changelog.md
index 6ef0c9f..a0c33a6 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## 2025-03-16 - 4.1.8 - fix(ConnectionHandler/tls)
+Change the TLS alert sent when a ClientHello lacks SNI: use the close_notify alert instead of handshake_failure to prompt immediate retry with SNI.
+
+- Replaced the previously sent handshake_failure alert (code 0x28) with a close_notify alert (code 0x00) in the TLS session resumption handling in ConnectionHandler.
+- This change encourages clients to immediately retry and include SNI when allowSessionTicket is false.
+
 ## 2025-03-16 - 4.1.7 - fix(classes.pp.connectionhandler)
 Improve TLS alert handling in ClientHello when SNI is missing and session tickets are disallowed
 
diff --git a/ts/00_commitinfo_data.ts b/ts/00_commitinfo_data.ts
index e5d626a..fae0dcb 100644
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '4.1.7',
+  version: '4.1.8',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }
diff --git a/ts/classes.pp.connectionhandler.ts b/ts/classes.pp.connectionhandler.ts
index fc7ed80..7c45c07 100644
--- a/ts/classes.pp.connectionhandler.ts
+++ b/ts/classes.pp.connectionhandler.ts
@@ -595,10 +595,20 @@ export class ConnectionHandler {
               0x28, // handshake_failure alert (40) instead of unrecognized_name (112)
             ]);
 
+            const closeNotifyAlert = Buffer.from([
+              0x15, // Alert record type
+              0x03,
+              0x03, // TLS 1.2 version
+              0x00,
+              0x02, // Length
+              0x01, // Warning alert level (1)
+              0x00, // close_notify alert (0)
+            ]);
+
             try {
               // Use cork/uncork to ensure the alert is sent as a single packet
               socket.cork();
-              const writeSuccessful = socket.write(sslHandshakeFailureAlertData);
+              const writeSuccessful = socket.write(closeNotifyAlert);
               socket.uncork();
 
               // Function to handle the clean socket termination