4.1.12

fix(classes.pp.connectionhandler): Replace unrecognized_name alert data with certificate_expired alert in TLS handshake handling for session resumption without SNI
2025-03-17 13:09:54 +00:00 · 2025-03-17 13:09:54 +00:00
4 changed files with 20 additions and 3 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,12 @@
 # Changelog

+## 2025-03-17 - 4.1.12 - fix(classes.pp.connectionhandler)
+Replace unrecognized_name alert data with certificate_expired alert in TLS handshake handling for session resumption without SNI
+
+- Switched the alert payload from serverNameUnknownAlertData to a new certificateExpiredAlert buffer
+- Now sends a fatal certificate_expired alert (code 47) instead of a warning unrecognized_name alert
+- Improves TLS error reporting and encourages immediate disconnection when a ClientHello lacks SNI and session tickets are disallowed
+
 ## 2025-03-17 - 4.1.11 - fix(connectionhandler)
 Increase delay before cleaning up connections when session resumption is blocked due to missing SNI, allowing more natural socket termination.

--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "4.1.11",
+  "version": "4.1.12",
  "private": false,
  "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
  "main": "dist_ts/index.js",
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '4.1.11',
+  version: '4.1.12',
  description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }
--- a/ts/classes.pp.connectionhandler.ts
+++ b/ts/classes.pp.connectionhandler.ts
@ -605,10 +605,20 @@ export class ConnectionHandler {
              0x00, // close_notify alert (0)
            ]);

+            const certificateExpiredAlert = Buffer.from([
+              0x15, // Alert record type
+              0x03,
+              0x03, // TLS 1.2 version
+              0x00,
+              0x02, // Length
+              0x02, // Fatal alert level (2)
+              0x2F, // certificate_expired alert (47)
+            ]);
+
            try {
              // Use cork/uncork to ensure the alert is sent as a single packet
              socket.cork();
-              const writeSuccessful = socket.write(serverNameUnknownAlertData);
+              const writeSuccessful = socket.write(certificateExpiredAlert);
              socket.uncork();
              
              // Function to handle the clean socket termination - but more gradually
Author	SHA1	Message	Date
Philipp Kunz	4634c68ea6	4.1.12 Some checks failed Default (tags) / security (push) Successful in 30s Details Default (tags) / test (push) Failing after 59s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-17 13:09:54 +00:00
Philipp Kunz	e126032b61	fix(classes.pp.connectionhandler): Replace unrecognized_name alert data with certificate_expired alert in TLS handshake handling for session resumption without SNI	2025-03-17 13:09:54 +00:00