push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(SniHandler): Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.

Browse Source
This commit is contained in:
Philipp Kunz 2025-03-11 19:38:41 +00:00
parent 3a1485213a
commit 62a3e1f4b7
4 changed files with 101 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
changelog.md
View File

@ -1,5 +1,12 @@
# Changelog # Changelog
## 2025-03-11 - 3.41.1 - fix(SniHandler)
Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.
- Changed SniHandler.hasSessionResumption to return an object with 'isResumption' and 'hasSNI' flags.
- Adjusted PortProxy logic to only terminate connections when a session ticket is detected without an accompanying SNI (when allowSessionTicket is false).
- Enhanced debug logging to clearly differentiate between session resumption scenarios with and without SNI.
## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS) ## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS)
Add allowSessionTicket option to control TLS session ticket handling Add allowSessionTicket option to control TLS session ticket handling

2
ts/00_commitinfo_data.ts
View File

@ -3,6 +3,6 @@
*/ */
export const commitinfo = { export const commitinfo = {
name: '@push.rocks/smartproxy', name: '@push.rocks/smartproxy',
version: '3.41.0', version: '3.41.1',
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.' description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
} }

42
ts/classes.portproxy.ts
View File

@ -941,15 +941,23 @@ export class PortProxy {
// Check for session tickets if allowSessionTicket is disabled // Check for session tickets if allowSessionTicket is disabled
if (this.settings.allowSessionTicket === false) { if (this.settings.allowSessionTicket === false) {
// Analyze for session resumption attempt (session ticket or PSK) // Analyze for session resumption attempt (session ticket or PSK)
const hasSessionTicket = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging); const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
if (hasSessionTicket) { // Only block if there's a session ticket without SNI
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
console.log( console.log(
`[${connectionId}] Session ticket detected in renegotiation with allowSessionTicket=false. ` + `[${connectionId}] Session ticket detected in renegotiation without SNI and allowSessionTicket=false. ` +
`Terminating connection to force new TLS handshake.` `Terminating connection to force new TLS handshake.`
); );
this.initiateCleanupOnce(record, 'session_ticket_blocked'); this.initiateCleanupOnce(record, 'session_ticket_blocked');
return; return;
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
if (this.settings.enableTlsDebugLogging) {
console.log(
`[${connectionId}] Session ticket with SNI detected in renegotiation. ` +
`Allowing connection since SNI is present.`
);
}
} }
} }
@ -1565,11 +1573,12 @@ export class PortProxy {
// Check for session tickets if allowSessionTicket is disabled // Check for session tickets if allowSessionTicket is disabled
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) { if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
// Analyze for session resumption attempt // Analyze for session resumption attempt
const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging); const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
if (hasSessionTicket) { // Only block if there's a session ticket without SNI
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
console.log( console.log(
`[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` + `[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
`Terminating connection to force new TLS handshake.` `Terminating connection to force new TLS handshake.`
); );
if (connectionRecord.incomingTerminationReason === null) { if (connectionRecord.incomingTerminationReason === null) {
@ -1579,6 +1588,13 @@ export class PortProxy {
socket.end(); socket.end();
this.cleanupConnection(connectionRecord, 'session_ticket_blocked'); this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
return; return;
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
if (this.settings.enableTlsDebugLogging) {
console.log(
`[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
`Allowing connection since SNI is present.`
);
}
} }
} }
@ -1931,11 +1947,12 @@ export class PortProxy {
// Check for session tickets if allowSessionTicket is disabled // Check for session tickets if allowSessionTicket is disabled
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) { if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
// Analyze for session resumption attempt // Analyze for session resumption attempt
const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging); const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
if (hasSessionTicket) { // Only block if there's a session ticket without SNI
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
console.log( console.log(
`[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` + `[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
`Terminating connection to force new TLS handshake.` `Terminating connection to force new TLS handshake.`
); );
if (connectionRecord.incomingTerminationReason === null) { if (connectionRecord.incomingTerminationReason === null) {
@ -1945,6 +1962,13 @@ export class PortProxy {
socket.end(); socket.end();
this.cleanupConnection(connectionRecord, 'session_ticket_blocked'); this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
return; return;
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
if (this.settings.enableTlsDebugLogging) {
console.log(
`[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
`Allowing connection since SNI is present.`
);
}
} }
} }

63
ts/classes.snihandler.ts
View File

@ -372,6 +372,58 @@ export class SniHandler {
pos += extensionLength; pos += extensionLength;
} }
// Check if SNI is included
let hasSNI = false;
// Reset position and scan again for SNI extension
pos = 5 + 1 + 3 + 2; // Reset to after handshake type, length and client version
pos += 32; // Skip client random
if (pos + 1 <= buffer.length) {
const sessionIdLength = buffer[pos];
pos += 1 + sessionIdLength;
// Skip cipher suites
if (pos + 2 <= buffer.length) {
const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
pos += 2 + cipherSuitesLength;
// Skip compression methods
if (pos + 1 <= buffer.length) {
const compressionMethodsLength = buffer[pos];
pos += 1 + compressionMethodsLength;
// Check for extensions
if (pos + 2 <= buffer.length) {
const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
pos += 2;
// Extensions end position
const extensionsEnd = pos + extensionsLength;
if (extensionsEnd <= buffer.length) {
// Scan for SNI extension
while (pos + 4 <= extensionsEnd) {
const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
pos += 2;
const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
pos += 2;
if (extensionType === this.TLS_SNI_EXTENSION_TYPE) {
hasSNI = true;
log('Found SNI extension');
break;
}
// Skip extension data
pos += extensionLength;
}
}
}
}
}
}
// Consider it a resumption if any resumption mechanism is present // Consider it a resumption if any resumption mechanism is present
const isResumption = hasSessionTicket || hasPSK || hasEarlyData || const isResumption = hasSessionTicket || hasPSK || hasEarlyData ||
(hasNonEmptySessionId && !hasPSK); // Legacy resumption (hasNonEmptySessionId && !hasPSK); // Legacy resumption
@ -381,13 +433,18 @@ export class SniHandler {
(hasSessionTicket ? 'session ticket, ' : '') + (hasSessionTicket ? 'session ticket, ' : '') +
(hasPSK ? 'PSK, ' : '') + (hasPSK ? 'PSK, ' : '') +
(hasEarlyData ? 'early data, ' : '') + (hasEarlyData ? 'early data, ' : '') +
(hasNonEmptySessionId ? 'session ID' : '')); (hasNonEmptySessionId ? 'session ID' : '') +
(hasSNI ? ', with SNI' : ', without SNI'));
} }
return isResumption; // Return an object with both flags
return {
isResumption,
hasSNI
};
} catch (error) { } catch (error) {
log(`Error checking for session resumption: ${error}`); log(`Error checking for session resumption: ${error}`);
return false; return { isResumption: false, hasSNI: false };
} }
} }