feat(PortProxy/TLS): Add allowSessionTicket option to control TLS session ticket handling

2025-03-11 19:31:20 +00:00
parent 9496dd5336
commit 9dbf6fdeb5
4 changed files with 181 additions and 1 deletions
--- a/ts/classes.portproxy.ts
+++ b/ts/classes.portproxy.ts
@@ -51,6 +51,7 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
  enableDetailedLogging?: boolean; // Enable detailed connection logging
  enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
  enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
+  allowSessionTicket?: boolean; // Allow TLS session ticket for reconnection (default: true)

  // Rate limiting and security
  maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
@@ -236,6 +237,8 @@ export class PortProxy {
      enableDetailedLogging: settingsArg.enableDetailedLogging || false,
      enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
      enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
+      allowSessionTicket: settingsArg.allowSessionTicket !== undefined 
+                         ? settingsArg.allowSessionTicket : true,

      // Rate limiting defaults
      maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
@@ -935,6 +938,21 @@ export class PortProxy {
                destPort: record.incoming.localPort || 0
              };
              
+              // Check for session tickets if allowSessionTicket is disabled
+              if (this.settings.allowSessionTicket === false) {
+                // Analyze for session resumption attempt (session ticket or PSK)
+                const hasSessionTicket = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
+                
+                if (hasSessionTicket) {
+                  console.log(
+                    `[${connectionId}] Session ticket detected in renegotiation with allowSessionTicket=false. ` +
+                    `Terminating connection to force new TLS handshake.`
+                  );
+                  this.initiateCleanupOnce(record, 'session_ticket_blocked');
+                  return;
+                }
+              }
+              
              const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, connInfo, this.settings.enableTlsDebugLogging);

              // Skip if no SNI was found
@@ -970,6 +988,9 @@ export class PortProxy {
        
        if (this.settings.enableDetailedLogging) {
          console.log(`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`);
+          if (this.settings.allowSessionTicket === false) {
+            console.log(`[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`);
+          }
        }
      }

@@ -1541,6 +1562,26 @@ export class PortProxy {
          if (SniHandler.isTlsHandshake(chunk)) {
            connectionRecord.isTLS = true;
            
+            // Check for session tickets if allowSessionTicket is disabled
+            if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
+              // Analyze for session resumption attempt
+              const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
+              
+              if (hasSessionTicket) {
+                console.log(
+                  `[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` +
+                  `Terminating connection to force new TLS handshake.`
+                );
+                if (connectionRecord.incomingTerminationReason === null) {
+                  connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
+                  this.incrementTerminationStat('incoming', 'session_ticket_blocked');
+                }
+                socket.end();
+                this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
+                return;
+              }
+            }
+            
            // Try to extract SNI for domain-specific NetworkProxy handling
            const connInfo = {
              sourceIp: remoteIP,
@@ -1886,6 +1927,26 @@ export class PortProxy {
                  `[${connectionId}] Extracting SNI from TLS handshake, ${chunk.length} bytes`
                );
              }
+              
+              // Check for session tickets if allowSessionTicket is disabled
+              if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
+                // Analyze for session resumption attempt
+                const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
+                
+                if (hasSessionTicket) {
+                  console.log(
+                    `[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` +
+                    `Terminating connection to force new TLS handshake.`
+                  );
+                  if (connectionRecord.incomingTerminationReason === null) {
+                    connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
+                    this.incrementTerminationStat('incoming', 'session_ticket_blocked');
+                  }
+                  socket.end();
+                  this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
+                  return;
+                }
+              }

              // Create connection info object for SNI extraction
              const connInfo = {