fix(SniHandler): Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.
This commit is contained in:
parent
3a1485213a
commit
62a3e1f4b7
@ -1,5 +1,12 @@
|
|||||||
# Changelog
|
# Changelog
|
||||||
|
|
||||||
|
## 2025-03-11 - 3.41.1 - fix(SniHandler)
|
||||||
|
Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.
|
||||||
|
|
||||||
|
- Changed SniHandler.hasSessionResumption to return an object with 'isResumption' and 'hasSNI' flags.
|
||||||
|
- Adjusted PortProxy logic to only terminate connections when a session ticket is detected without an accompanying SNI (when allowSessionTicket is false).
|
||||||
|
- Enhanced debug logging to clearly differentiate between session resumption scenarios with and without SNI.
|
||||||
|
|
||||||
## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS)
|
## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS)
|
||||||
Add allowSessionTicket option to control TLS session ticket handling
|
Add allowSessionTicket option to control TLS session ticket handling
|
||||||
|
|
||||||
|
@ -3,6 +3,6 @@
|
|||||||
*/
|
*/
|
||||||
export const commitinfo = {
|
export const commitinfo = {
|
||||||
name: '@push.rocks/smartproxy',
|
name: '@push.rocks/smartproxy',
|
||||||
version: '3.41.0',
|
version: '3.41.1',
|
||||||
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
|
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
|
||||||
}
|
}
|
||||||
|
@ -941,15 +941,23 @@ export class PortProxy {
|
|||||||
// Check for session tickets if allowSessionTicket is disabled
|
// Check for session tickets if allowSessionTicket is disabled
|
||||||
if (this.settings.allowSessionTicket === false) {
|
if (this.settings.allowSessionTicket === false) {
|
||||||
// Analyze for session resumption attempt (session ticket or PSK)
|
// Analyze for session resumption attempt (session ticket or PSK)
|
||||||
const hasSessionTicket = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
|
const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
|
||||||
|
|
||||||
if (hasSessionTicket) {
|
// Only block if there's a session ticket without SNI
|
||||||
|
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
|
||||||
console.log(
|
console.log(
|
||||||
`[${connectionId}] Session ticket detected in renegotiation with allowSessionTicket=false. ` +
|
`[${connectionId}] Session ticket detected in renegotiation without SNI and allowSessionTicket=false. ` +
|
||||||
`Terminating connection to force new TLS handshake.`
|
`Terminating connection to force new TLS handshake.`
|
||||||
);
|
);
|
||||||
this.initiateCleanupOnce(record, 'session_ticket_blocked');
|
this.initiateCleanupOnce(record, 'session_ticket_blocked');
|
||||||
return;
|
return;
|
||||||
|
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
|
||||||
|
if (this.settings.enableTlsDebugLogging) {
|
||||||
|
console.log(
|
||||||
|
`[${connectionId}] Session ticket with SNI detected in renegotiation. ` +
|
||||||
|
`Allowing connection since SNI is present.`
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1565,11 +1573,12 @@ export class PortProxy {
|
|||||||
// Check for session tickets if allowSessionTicket is disabled
|
// Check for session tickets if allowSessionTicket is disabled
|
||||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||||
// Analyze for session resumption attempt
|
// Analyze for session resumption attempt
|
||||||
const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||||
|
|
||||||
if (hasSessionTicket) {
|
// Only block if there's a session ticket without SNI
|
||||||
|
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
|
||||||
console.log(
|
console.log(
|
||||||
`[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` +
|
`[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
|
||||||
`Terminating connection to force new TLS handshake.`
|
`Terminating connection to force new TLS handshake.`
|
||||||
);
|
);
|
||||||
if (connectionRecord.incomingTerminationReason === null) {
|
if (connectionRecord.incomingTerminationReason === null) {
|
||||||
@ -1579,6 +1588,13 @@ export class PortProxy {
|
|||||||
socket.end();
|
socket.end();
|
||||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||||
return;
|
return;
|
||||||
|
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
|
||||||
|
if (this.settings.enableTlsDebugLogging) {
|
||||||
|
console.log(
|
||||||
|
`[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
|
||||||
|
`Allowing connection since SNI is present.`
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1931,11 +1947,12 @@ export class PortProxy {
|
|||||||
// Check for session tickets if allowSessionTicket is disabled
|
// Check for session tickets if allowSessionTicket is disabled
|
||||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||||
// Analyze for session resumption attempt
|
// Analyze for session resumption attempt
|
||||||
const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||||
|
|
||||||
if (hasSessionTicket) {
|
// Only block if there's a session ticket without SNI
|
||||||
|
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
|
||||||
console.log(
|
console.log(
|
||||||
`[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` +
|
`[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
|
||||||
`Terminating connection to force new TLS handshake.`
|
`Terminating connection to force new TLS handshake.`
|
||||||
);
|
);
|
||||||
if (connectionRecord.incomingTerminationReason === null) {
|
if (connectionRecord.incomingTerminationReason === null) {
|
||||||
@ -1945,6 +1962,13 @@ export class PortProxy {
|
|||||||
socket.end();
|
socket.end();
|
||||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||||
return;
|
return;
|
||||||
|
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
|
||||||
|
if (this.settings.enableTlsDebugLogging) {
|
||||||
|
console.log(
|
||||||
|
`[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
|
||||||
|
`Allowing connection since SNI is present.`
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -372,6 +372,58 @@ export class SniHandler {
|
|||||||
pos += extensionLength;
|
pos += extensionLength;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if SNI is included
|
||||||
|
let hasSNI = false;
|
||||||
|
|
||||||
|
// Reset position and scan again for SNI extension
|
||||||
|
pos = 5 + 1 + 3 + 2; // Reset to after handshake type, length and client version
|
||||||
|
pos += 32; // Skip client random
|
||||||
|
|
||||||
|
if (pos + 1 <= buffer.length) {
|
||||||
|
const sessionIdLength = buffer[pos];
|
||||||
|
pos += 1 + sessionIdLength;
|
||||||
|
|
||||||
|
// Skip cipher suites
|
||||||
|
if (pos + 2 <= buffer.length) {
|
||||||
|
const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||||
|
pos += 2 + cipherSuitesLength;
|
||||||
|
|
||||||
|
// Skip compression methods
|
||||||
|
if (pos + 1 <= buffer.length) {
|
||||||
|
const compressionMethodsLength = buffer[pos];
|
||||||
|
pos += 1 + compressionMethodsLength;
|
||||||
|
|
||||||
|
// Check for extensions
|
||||||
|
if (pos + 2 <= buffer.length) {
|
||||||
|
const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||||
|
pos += 2;
|
||||||
|
|
||||||
|
// Extensions end position
|
||||||
|
const extensionsEnd = pos + extensionsLength;
|
||||||
|
if (extensionsEnd <= buffer.length) {
|
||||||
|
// Scan for SNI extension
|
||||||
|
while (pos + 4 <= extensionsEnd) {
|
||||||
|
const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
|
||||||
|
pos += 2;
|
||||||
|
|
||||||
|
const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||||
|
pos += 2;
|
||||||
|
|
||||||
|
if (extensionType === this.TLS_SNI_EXTENSION_TYPE) {
|
||||||
|
hasSNI = true;
|
||||||
|
log('Found SNI extension');
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Skip extension data
|
||||||
|
pos += extensionLength;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Consider it a resumption if any resumption mechanism is present
|
// Consider it a resumption if any resumption mechanism is present
|
||||||
const isResumption = hasSessionTicket || hasPSK || hasEarlyData ||
|
const isResumption = hasSessionTicket || hasPSK || hasEarlyData ||
|
||||||
(hasNonEmptySessionId && !hasPSK); // Legacy resumption
|
(hasNonEmptySessionId && !hasPSK); // Legacy resumption
|
||||||
@ -381,13 +433,18 @@ export class SniHandler {
|
|||||||
(hasSessionTicket ? 'session ticket, ' : '') +
|
(hasSessionTicket ? 'session ticket, ' : '') +
|
||||||
(hasPSK ? 'PSK, ' : '') +
|
(hasPSK ? 'PSK, ' : '') +
|
||||||
(hasEarlyData ? 'early data, ' : '') +
|
(hasEarlyData ? 'early data, ' : '') +
|
||||||
(hasNonEmptySessionId ? 'session ID' : ''));
|
(hasNonEmptySessionId ? 'session ID' : '') +
|
||||||
|
(hasSNI ? ', with SNI' : ', without SNI'));
|
||||||
}
|
}
|
||||||
|
|
||||||
return isResumption;
|
// Return an object with both flags
|
||||||
|
return {
|
||||||
|
isResumption,
|
||||||
|
hasSNI
|
||||||
|
};
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
log(`Error checking for session resumption: ${error}`);
|
log(`Error checking for session resumption: ${error}`);
|
||||||
return false;
|
return { isResumption: false, hasSNI: false };
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user