push.rocks/smartproxy
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(classes.pp.connectionhandler): Replace unrecognized_name alert data with certificate_expired alert in TLS handshake handling for session resumption without SNI

Browse Source
This commit is contained in:
Philipp Kunz
2025-03-17 13:09:54 +00:00
parent 7797c799dd
commit e126032b61
3 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
changelog.md
View File

@@ -1,5 +1,12 @@
# Changelog # Changelog
## 2025-03-17 - 4.1.12 - fix(classes.pp.connectionhandler)
Replace unrecognized_name alert data with certificate_expired alert in TLS handshake handling for session resumption without SNI
- Switched the alert payload from serverNameUnknownAlertData to a new certificateExpiredAlert buffer
- Now sends a fatal certificate_expired alert (code 47) instead of a warning unrecognized_name alert
- Improves TLS error reporting and encourages immediate disconnection when a ClientHello lacks SNI and session tickets are disallowed
## 2025-03-17 - 4.1.11 - fix(connectionhandler) ## 2025-03-17 - 4.1.11 - fix(connectionhandler)
Increase delay before cleaning up connections when session resumption is blocked due to missing SNI, allowing more natural socket termination. Increase delay before cleaning up connections when session resumption is blocked due to missing SNI, allowing more natural socket termination.

2
ts/00_commitinfo_data.ts
View File

@@ -3,6 +3,6 @@
*/ */
export const commitinfo = { export const commitinfo = {
name: '@push.rocks/smartproxy', name: '@push.rocks/smartproxy',
version: '4.1.11', version: '4.1.12',
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.' description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
} }

12
ts/classes.pp.connectionhandler.ts
View File

@@ -605,10 +605,20 @@ export class ConnectionHandler {
0x00, // close_notify alert (0) 0x00, // close_notify alert (0)
]); ]);
const certificateExpiredAlert = Buffer.from([
0x15, // Alert record type
0x03,
0x03, // TLS 1.2 version
0x00,
0x02, // Length
0x02, // Fatal alert level (2)
0x2F, // certificate_expired alert (47)
]);
try { try {
// Use cork/uncork to ensure the alert is sent as a single packet // Use cork/uncork to ensure the alert is sent as a single packet
socket.cork(); socket.cork();
const writeSuccessful = socket.write(serverNameUnknownAlertData); const writeSuccessful = socket.write(certificateExpiredAlert);
socket.uncork(); socket.uncork();
// Function to handle the clean socket termination - but more gradually // Function to handle the clean socket termination - but more gradually