fix(PortProxy): Improve TLS renegotiation SNI handling by first checking if the new SNI is allowed under the existing domain config. If not, attempt to find an alternative domain config and update the locked domain accordingly; otherwise, terminate the connection on SNI mismatch.
This commit is contained in:
@ -1,5 +1,13 @@
|
||||
# Changelog
|
||||
|
||||
## 2025-03-11 - 3.30.7 - fix(PortProxy)
|
||||
Improve TLS renegotiation SNI handling by first checking if the new SNI is allowed under the existing domain config. If not, attempt to find an alternative domain config and update the locked domain accordingly; otherwise, terminate the connection on SNI mismatch.
|
||||
|
||||
- Added a preliminary check against the original domain config to allow re-handshakes if the new SNI matches allowed patterns.
|
||||
- If the original config does not allow, search for an alternative domain config and validate IP rules.
|
||||
- Update the locked domain when allowed, ensuring connection reuse with valid certificate context.
|
||||
- Terminate the connection if no suitable domain config is found or IP restrictions are violated.
|
||||
|
||||
## 2025-03-11 - 3.30.6 - fix(PortProxy)
|
||||
Improve TLS renegotiation handling in PortProxy by validating the new SNI against allowed domain configurations. If the new SNI is permitted based on existing IP rules, update the locked domain to allow connection reuse; otherwise, terminate the connection to prevent misrouting.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user