push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(classes.pp.connectionhandler): Improve TLS alert handling in ClientHello when SNI is missing and session tickets are disallowed

Browse Source
This commit is contained in:
Philipp Kunz 2025-03-16 13:47:34 +00:00
parent 8a96b45ece
commit 67ddf97547
3 changed files with 31 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
changelog.md
View File

@ -1,5 +1,12 @@
# Changelog # Changelog
## 2025-03-16 - 4.1.7 - fix(classes.pp.connectionhandler)
Improve TLS alert handling in ClientHello when SNI is missing and session tickets are disallowed
- Replace the unrecognized_name alert with a handshake_failure alert to ensure better client behavior.
- Refactor the alert sending mechanism using cork/uncork and add a safety timeout for the drain event.
- Enhance logging for debugging TLS handshake failures when SNI is absent.
## 2025-03-16 - 4.1.6 - fix(tls) ## 2025-03-16 - 4.1.6 - fix(tls)
Refine TLS ClientHello handling when allowSessionTicket is false by replacing extensive alert timeout logic with a concise warning alert and short delay, encouraging immediate client retry with proper SNI Refine TLS ClientHello handling when allowSessionTicket is false by replacing extensive alert timeout logic with a concise warning alert and short delay, encouraging immediate client retry with proper SNI

2
ts/00_commitinfo_data.ts
View File

@ -3,6 +3,6 @@
*/ */
export const commitinfo = { export const commitinfo = {
name: '@push.rocks/smartproxy', name: '@push.rocks/smartproxy',
version: '4.1.6', version: '4.1.7',
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.' description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
} }

15
ts/classes.pp.connectionhandler.ts
View File

@ -574,7 +574,7 @@ export class ConnectionHandler {
// Create a warning-level alert for unrecognized_name // Create a warning-level alert for unrecognized_name
// This encourages Chrome to retry immediately with SNI // This encourages Chrome to retry immediately with SNI
const alertData = Buffer.from([ const serverNameUnknownAlertData = Buffer.from([
0x15, // Alert record type 0x15, // Alert record type
0x03, 0x03,
0x03, // TLS 1.2 version 0x03, // TLS 1.2 version
@ -584,10 +584,21 @@ export class ConnectionHandler {
0x70, // unrecognized_name alert (code 112) 0x70, // unrecognized_name alert (code 112)
]); ]);
// Send a handshake_failure alert instead of unrecognized_name
const sslHandshakeFailureAlertData = Buffer.from([
0x15, // Alert record type
0x03,
0x03, // TLS 1.2 version
0x00,
0x02, // Length
0x01, // Warning alert level (not fatal)
0x28, // handshake_failure alert (40) instead of unrecognized_name (112)
]);
try { try {
// Use cork/uncork to ensure the alert is sent as a single packet // Use cork/uncork to ensure the alert is sent as a single packet
socket.cork(); socket.cork();
const writeSuccessful = socket.write(alertData); const writeSuccessful = socket.write(sslHandshakeFailureAlertData);
socket.uncork(); socket.uncork();
// Function to handle the clean socket termination // Function to handle the clean socket termination