fix(SniHandler): Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.

2025-03-11 19:38:41 +00:00
parent 3a1485213a
commit 62a3e1f4b7
4 changed files with 101 additions and 13 deletions
--- a/ts/classes.portproxy.ts
+++ b/ts/classes.portproxy.ts
@@ -941,15 +941,23 @@ export class PortProxy {
              // Check for session tickets if allowSessionTicket is disabled
              if (this.settings.allowSessionTicket === false) {
                // Analyze for session resumption attempt (session ticket or PSK)
-                const hasSessionTicket = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
+                const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
                
-                if (hasSessionTicket) {
+                // Only block if there's a session ticket without SNI
+                if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
                  console.log(
-                    `[${connectionId}] Session ticket detected in renegotiation with allowSessionTicket=false. ` +
+                    `[${connectionId}] Session ticket detected in renegotiation without SNI and allowSessionTicket=false. ` +
                    `Terminating connection to force new TLS handshake.`
                  );
                  this.initiateCleanupOnce(record, 'session_ticket_blocked');
                  return;
+                } else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
+                  if (this.settings.enableTlsDebugLogging) {
+                    console.log(
+                      `[${connectionId}] Session ticket with SNI detected in renegotiation. ` +
+                      `Allowing connection since SNI is present.`
+                    );
+                  }
                }
              }
              
@@ -1565,11 +1573,12 @@ export class PortProxy {
            // Check for session tickets if allowSessionTicket is disabled
            if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
              // Analyze for session resumption attempt
-              const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
+              const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
              
-              if (hasSessionTicket) {
+              // Only block if there's a session ticket without SNI
+              if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
                console.log(
-                  `[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` +
+                  `[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
                  `Terminating connection to force new TLS handshake.`
                );
                if (connectionRecord.incomingTerminationReason === null) {
@@ -1579,6 +1588,13 @@ export class PortProxy {
                socket.end();
                this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
                return;
+              } else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
+                if (this.settings.enableTlsDebugLogging) {
+                  console.log(
+                    `[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
+                    `Allowing connection since SNI is present.`
+                  );
+                }
              }
            }
            
@@ -1931,11 +1947,12 @@ export class PortProxy {
              // Check for session tickets if allowSessionTicket is disabled
              if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
                // Analyze for session resumption attempt
-                const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
+                const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
                
-                if (hasSessionTicket) {
+                // Only block if there's a session ticket without SNI
+                if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
                  console.log(
-                    `[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` +
+                    `[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
                    `Terminating connection to force new TLS handshake.`
                  );
                  if (connectionRecord.incomingTerminationReason === null) {
@@ -1945,6 +1962,13 @@ export class PortProxy {
                  socket.end();
                  this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
                  return;
+                } else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
+                  if (this.settings.enableTlsDebugLogging) {
+                    console.log(
+                      `[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
+                      `Allowing connection since SNI is present.`
+                    );
+                  }
                }
              }