3.38.1

changelog.md

@@ -1,5 +1,44 @@
 # Changelog
 
+## 2025-03-11 - 3.38.1 - fix(PortProxy)
+Improve SNI extraction handling in PortProxy by passing explicit connection info to extractSNIWithResumptionSupport for better TLS renegotiation and debug logging.
+
+- In the renegotiation handler, create and pass a connection info object (sourceIp, sourcePort, destIp, destPort) instead of a boolean flag.
+- Update the TLS handshake processing to construct a connection info object for detailed SNI extraction and logging.
+- Enhance consistency by using processTlsPacket with cached SNI hints during fallback.
+
+## 2025-03-11 - 3.38.0 - feat(SniHandler)
+Enhance SNI extraction to support fragmented ClientHello messages, TLS 1.3 early data, and improved PSK parsing
+
+- Added isTlsApplicationData method for detecting TLS application data packets
+- Implemented handleFragmentedClientHello to buffer and reassemble fragmented ClientHello messages
+- Extended extractSNIWithResumptionSupport to accept connection information and use reassembled data
+- Added detection for TLS 1.3 early data (0-RTT) in the ClientHello, supporting session resumption scenarios
+- Improved logging and heuristics for handling potential connection racing in modern browsers
+
+## 2025-03-11 - 3.37.3 - fix(snihandler)
+Enhance SNI extraction to support TLS 1.3 PSK-based session resumption by adding a dedicated extractSNIFromPSKExtension method and improved logging for session resumption indicators.
+
+- Defined TLS_PSK_EXTENSION_TYPE and TLS_PSK_KE_MODES_EXTENSION_TYPE constants.
+- Added extractSNIFromPSKExtension method to handle ClientHello messages containing PSK identities.
+- Improved logging to indicate when session resumption indicators (ticket or PSK) are present but no standard SNI is found.
+- Enhanced extractSNIWithResumptionSupport to attempt PSK extraction if standard SNI extraction fails.
+
+## 2025-03-11 - 3.37.2 - fix(PortProxy)
+Improve buffering and data handling during connection setup in PortProxy to prevent data loss
+
+- Added a safeDataHandler and processDataQueue to buffer incoming data reliably during the TLS handshake phase
+- Introduced a queue with pause/resume logic to avoid exceeding maxPendingDataSize and ensure all pending data is flushed before piping begins
+- Refactored the piping setup to install the renegotiation handler only after proper data flushing
+
+## 2025-03-11 - 3.37.1 - fix(PortProxy/SNI)
+Refactor SNI extraction in PortProxy to use the dedicated SniHandler class
+
+- Removed local SNI extraction and handshake detection functions from classes.portproxy.ts
+- Introduced a standalone SniHandler class in ts/classes.snihandler.ts for robust SNI extraction and improved logging
+- Replaced inlined calls to isTlsHandshake and extractSNI with calls to SniHandler methods
+- Ensured consistency in handling TLS ClientHello messages across the codebase
+
 ## 2025-03-11 - 3.37.0 - feat(portproxy)
 Add ACME certificate management options to PortProxy, update ACME settings handling, and bump dependency versions
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.37.0",
+  "version": "3.38.1",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.37.0',
+  version: '3.38.1',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }

ts/classes.portproxy.ts

@@ -1,5 +1,6 @@
 import * as plugins from './plugins.js';
 import { NetworkProxy } from './classes.networkproxy.js';
+import { SniHandler } from './classes.snihandler.js';
 
 /** Domain configuration with per-domain allowed port ranges */
 export interface IDomainConfig {
@@ -117,192 +118,8 @@ interface IConnectionRecord {
   domainSwitches?: number; // Number of times the domain has been switched on this connection
 }
 
-/**
+// SNI functions are now imported from SniHandler class
- * Extracts the SNI (Server Name Indication) from a TLS ClientHello packet.
+// No need for wrapper functions
- * Enhanced for robustness and detailed logging.
- * @param buffer - Buffer containing the TLS ClientHello.
- * @param enableLogging - Whether to enable detailed logging.
- * @returns The server name if found, otherwise undefined.
- */
-function extractSNI(buffer: Buffer, enableLogging: boolean = false): string | undefined {
-  try {
-    // Check if buffer is too small for TLS
-    if (buffer.length < 5) {
-      if (enableLogging) console.log('Buffer too small for TLS header');
-      return undefined;
-    }
-
-    // Check record type (has to be handshake - 22)
-    const recordType = buffer.readUInt8(0);
-    if (recordType !== 22) {
-      if (enableLogging) console.log(`Not a TLS handshake. Record type: ${recordType}`);
-      return undefined;
-    }
-
-    // Check TLS version (has to be 3.1 or higher)
-    const majorVersion = buffer.readUInt8(1);
-    const minorVersion = buffer.readUInt8(2);
-    if (enableLogging) console.log(`TLS Version: ${majorVersion}.${minorVersion}`);
-
-    // Check record length
-    const recordLength = buffer.readUInt16BE(3);
-    if (buffer.length < 5 + recordLength) {
-      if (enableLogging)
-        console.log(
-          `Buffer too small for TLS record. Expected: ${5 + recordLength}, Got: ${buffer.length}`
-        );
-      return undefined;
-    }
-
-    let offset = 5;
-    const handshakeType = buffer.readUInt8(offset);
-    if (handshakeType !== 1) {
-      if (enableLogging) console.log(`Not a ClientHello. Handshake type: ${handshakeType}`);
-      return undefined;
-    }
-
-    offset += 4; // Skip handshake header (type + length)
-
-    // Client version
-    const clientMajorVersion = buffer.readUInt8(offset);
-    const clientMinorVersion = buffer.readUInt8(offset + 1);
-    if (enableLogging) console.log(`Client Version: ${clientMajorVersion}.${clientMinorVersion}`);
-
-    offset += 2 + 32; // Skip client version and random
-
-    // Session ID
-    const sessionIDLength = buffer.readUInt8(offset);
-    if (enableLogging) console.log(`Session ID Length: ${sessionIDLength}`);
-    offset += 1 + sessionIDLength; // Skip session ID
-
-    // Cipher suites
-    if (offset + 2 > buffer.length) {
-      if (enableLogging) console.log('Buffer too small for cipher suites length');
-      return undefined;
-    }
-    const cipherSuitesLength = buffer.readUInt16BE(offset);
-    if (enableLogging) console.log(`Cipher Suites Length: ${cipherSuitesLength}`);
-    offset += 2 + cipherSuitesLength; // Skip cipher suites
-
-    // Compression methods
-    if (offset + 1 > buffer.length) {
-      if (enableLogging) console.log('Buffer too small for compression methods length');
-      return undefined;
-    }
-    const compressionMethodsLength = buffer.readUInt8(offset);
-    if (enableLogging) console.log(`Compression Methods Length: ${compressionMethodsLength}`);
-    offset += 1 + compressionMethodsLength; // Skip compression methods
-
-    // Extensions
-    if (offset + 2 > buffer.length) {
-      if (enableLogging) console.log('Buffer too small for extensions length');
-      return undefined;
-    }
-    const extensionsLength = buffer.readUInt16BE(offset);
-    if (enableLogging) console.log(`Extensions Length: ${extensionsLength}`);
-    offset += 2;
-    const extensionsEnd = offset + extensionsLength;
-
-    if (extensionsEnd > buffer.length) {
-      if (enableLogging)
-        console.log(
-          `Buffer too small for extensions. Expected end: ${extensionsEnd}, Buffer length: ${buffer.length}`
-        );
-      return undefined;
-    }
-
-    // Parse extensions
-    while (offset + 4 <= extensionsEnd) {
-      const extensionType = buffer.readUInt16BE(offset);
-      const extensionLength = buffer.readUInt16BE(offset + 2);
-
-      if (enableLogging)
-        console.log(`Extension Type: 0x${extensionType.toString(16)}, Length: ${extensionLength}`);
-
-      offset += 4;
-
-      if (extensionType === 0x0000) {
-        // SNI extension
-        if (offset + 2 > buffer.length) {
-          if (enableLogging) console.log('Buffer too small for SNI list length');
-          return undefined;
-        }
-
-        const sniListLength = buffer.readUInt16BE(offset);
-        if (enableLogging) console.log(`SNI List Length: ${sniListLength}`);
-        offset += 2;
-        const sniListEnd = offset + sniListLength;
-
-        if (sniListEnd > buffer.length) {
-          if (enableLogging)
-            console.log(
-              `Buffer too small for SNI list. Expected end: ${sniListEnd}, Buffer length: ${buffer.length}`
-            );
-          return undefined;
-        }
-
-        while (offset + 3 < sniListEnd) {
-          const nameType = buffer.readUInt8(offset++);
-          const nameLen = buffer.readUInt16BE(offset);
-          offset += 2;
-
-          if (enableLogging) console.log(`Name Type: ${nameType}, Name Length: ${nameLen}`);
-
-          if (nameType === 0) {
-            // host_name
-            if (offset + nameLen > buffer.length) {
-              if (enableLogging)
-                console.log(
-                  `Buffer too small for hostname. Expected: ${offset + nameLen}, Got: ${
-                    buffer.length
-                  }`
-                );
-              return undefined;
-            }
-
-            const serverName = buffer.toString('utf8', offset, offset + nameLen);
-            if (enableLogging) console.log(`Extracted SNI: ${serverName}`);
-            return serverName;
-          }
-
-          offset += nameLen;
-        }
-        break;
-      } else {
-        offset += extensionLength;
-      }
-    }
-
-    if (enableLogging) console.log('No SNI extension found');
-    return undefined;
-  } catch (err) {
-    console.log(`Error extracting SNI: ${err}`);
-    return undefined;
-  }
-}
-
-/**
- * Checks if a TLS record is a proper ClientHello message (more accurate than just checking record type)
- * @param buffer - Buffer containing the TLS record
- * @returns true if the buffer contains a proper ClientHello message
- */
-function isClientHello(buffer: Buffer): boolean {
-  try {
-    if (buffer.length < 9) return false; // Too small for a proper ClientHello
-
-    // Check record type (has to be handshake - 22)
-    if (buffer.readUInt8(0) !== 22) return false;
-
-    // After the TLS record header (5 bytes), check the handshake type (1 for ClientHello)
-    if (buffer.readUInt8(5) !== 1) return false;
-
-    // Basic checks passed, this appears to be a ClientHello
-    return true;
-  } catch (err) {
-    console.log(`Error checking for ClientHello: ${err}`);
-    return false;
-  }
-}
 
 // Helper: Check if a port falls within any of the given port ranges
 const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
@@ -346,10 +163,7 @@ const generateConnectionId = (): string => {
   return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
 };
 
-// Helper: Check if a buffer contains a TLS handshake
+// SNI functions are now imported from SniHandler class
-const isTlsHandshake = (buffer: Buffer): boolean => {
-  return buffer.length > 0 && buffer[0] === 22; // ContentType.handshake
-};
 
 // Helper: Ensure timeout values don't exceed Node.js max safe integer
 const ensureSafeTimeout = (timeout: number): number => {
@@ -752,44 +566,104 @@ export class PortProxy {
       connectionOptions.localAddress = record.remoteIP.replace('::ffff:', '');
     }
 
+    // Create a safe queue for incoming data using a Buffer array
+    // We'll use this to ensure we don't lose data during handler transitions
+    const dataQueue: Buffer[] = [];
+    let queueSize = 0;
+    let processingQueue = false;
+    let drainPending = false;
+    
+    // Flag to track if we've switched to the final piping mechanism
+    // Once this is true, we no longer buffer data in dataQueue
+    let pipingEstablished = false;
+    
     // Pause the incoming socket to prevent buffer overflows
+    // This ensures we control the flow of data until piping is set up
     socket.pause();
 
-    // Temporary handler to collect data during connection setup
+    // Function to safely process the data queue without losing events
-    const tempDataHandler = (chunk: Buffer) => {
+    const processDataQueue = () => {
-      // Track bytes received
+      if (processingQueue || dataQueue.length === 0 || pipingEstablished) return;
-      record.bytesReceived += chunk.length;
+      
+      processingQueue = true;
+      
+      try {
+        // Process all queued chunks with the current active handler
+        while (dataQueue.length > 0) {
+          const chunk = dataQueue.shift()!;
+          queueSize -= chunk.length;
+          
+          // Once piping is established, we shouldn't get here,
+          // but just in case, pass to the outgoing socket directly
+          if (pipingEstablished && record.outgoing) {
+            record.outgoing.write(chunk);
+            continue;
+          }
+          
+          // Track bytes received
+          record.bytesReceived += chunk.length;
 
-      // Check for TLS handshake
+          // Check for TLS handshake
-      if (!record.isTLS && isTlsHandshake(chunk)) {
+          if (!record.isTLS && SniHandler.isTlsHandshake(chunk)) {
-        record.isTLS = true;
+            record.isTLS = true;
 
-        if (this.settings.enableTlsDebugLogging) {
+            if (this.settings.enableTlsDebugLogging) {
-          console.log(
+              console.log(
-            `[${connectionId}] TLS handshake detected in tempDataHandler, ${chunk.length} bytes`
+                `[${connectionId}] TLS handshake detected in tempDataHandler, ${chunk.length} bytes`
-          );
+              );
+            }
+          }
+
+          // Check if adding this chunk would exceed the buffer limit
+          const newSize = record.pendingDataSize + chunk.length;
+
+          if (this.settings.maxPendingDataSize && newSize > this.settings.maxPendingDataSize) {
+            console.log(
+              `[${connectionId}] Buffer limit exceeded for connection from ${record.remoteIP}: ${newSize} bytes > ${this.settings.maxPendingDataSize} bytes`
+            );
+            socket.end(); // Gracefully close the socket
+            this.initiateCleanupOnce(record, 'buffer_limit_exceeded');
+            return;
+          }
+
+          // Buffer the chunk and update the size counter
+          record.pendingData.push(Buffer.from(chunk));
+          record.pendingDataSize = newSize;
+          this.updateActivity(record);
+        }
+      } finally {
+        processingQueue = false;
+        
+        // If there's a pending drain and we've processed everything,
+        // signal we're ready for more data if we haven't established piping yet
+        if (drainPending && dataQueue.length === 0 && !pipingEstablished) {
+          drainPending = false;
+          socket.resume();
         }
       }
-
-      // Check if adding this chunk would exceed the buffer limit
-      const newSize = record.pendingDataSize + chunk.length;
-
-      if (this.settings.maxPendingDataSize && newSize > this.settings.maxPendingDataSize) {
-        console.log(
-          `[${connectionId}] Buffer limit exceeded for connection from ${record.remoteIP}: ${newSize} bytes > ${this.settings.maxPendingDataSize} bytes`
-        );
-        socket.end(); // Gracefully close the socket
-        return this.initiateCleanupOnce(record, 'buffer_limit_exceeded');
-      }
-
-      // Buffer the chunk and update the size counter
-      record.pendingData.push(Buffer.from(chunk));
-      record.pendingDataSize = newSize;
-      this.updateActivity(record);
     };
 
-    // Add the temp handler to capture all incoming data during connection setup
+    // Unified data handler that safely queues incoming data
-    socket.on('data', tempDataHandler);
+    const safeDataHandler = (chunk: Buffer) => {
+      // If piping is already established, just let the pipe handle it
+      if (pipingEstablished) return;
+      
+      // Add to our queue for orderly processing
+      dataQueue.push(Buffer.from(chunk)); // Make a copy to be safe
+      queueSize += chunk.length;
+      
+      // If queue is getting large, pause socket until we catch up
+      if (this.settings.maxPendingDataSize && queueSize > this.settings.maxPendingDataSize * 0.8) {
+        socket.pause();
+        drainPending = true;
+      }
+      
+      // Process the queue
+      processDataQueue();
+    };
+
+    // Add our safe data handler
+    socket.on('data', safeDataHandler);
 
     // Add initial chunk to pending data if present
     if (initialChunk) {
@@ -962,56 +836,32 @@ export class PortProxy {
       // Add the normal error handler for established connections
       targetSocket.on('error', this.handleError('outgoing', record));
 
-      // Remove temporary data handler
+      // Process any remaining data in the queue before switching to piping
-      socket.removeListener('data', tempDataHandler);
+      processDataQueue();
-
+      
-      // Flush all pending data to target
+      // Setup function to establish piping - we'll use this after flushing data
-      if (record.pendingData.length > 0) {
+      const setupPiping = () => {
-        const combinedData = Buffer.concat(record.pendingData);
+        // Mark that we're switching to piping mode
-        targetSocket.write(combinedData, (err) => {
+        pipingEstablished = true;
-          if (err) {
+        
-            console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
+        // Setup piping in both directions
-            return this.initiateCleanupOnce(record, 'write_error');
-          }
-
-          // Now set up piping for future data and resume the socket
-          socket.pipe(targetSocket);
-          targetSocket.pipe(socket);
-          socket.resume(); // Resume the socket after piping is established
-
-          if (this.settings.enableDetailedLogging) {
-            console.log(
-              `[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
-                `${
-                  serverName
-                    ? ` (SNI: ${serverName})`
-                    : domainConfig
-                    ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
-                    : ''
-                }` +
-                ` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
-                  record.hasKeepAlive ? 'Yes' : 'No'
-                }`
-            );
-          } else {
-            console.log(
-              `Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
-                `${
-                  serverName
-                    ? ` (SNI: ${serverName})`
-                    : domainConfig
-                    ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
-                    : ''
-                }`
-            );
-          }
-        });
-      } else {
-        // No pending data, so just set up piping
         socket.pipe(targetSocket);
         targetSocket.pipe(socket);
-        socket.resume(); // Resume the socket after piping is established
+        
-
+        // Resume the socket to ensure data flows
+        socket.resume();
+        
+        // Process any data that might be queued in the interim
+        if (dataQueue.length > 0) {
+          // Write any remaining queued data directly to the target socket
+          for (const chunk of dataQueue) {
+            targetSocket.write(chunk);
+          }
+          // Clear the queue
+          dataQueue.length = 0;
+          queueSize = 0;
+        }
+          
         if (this.settings.enableDetailedLogging) {
           console.log(
             `[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
@@ -1038,6 +888,23 @@ export class PortProxy {
               }`
           );
         }
+      };
+
+      // Flush all pending data to target
+      if (record.pendingData.length > 0) {
+        const combinedData = Buffer.concat(record.pendingData);
+        targetSocket.write(combinedData, (err) => {
+          if (err) {
+            console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
+            return this.initiateCleanupOnce(record, 'write_error');
+          }
+
+          // Establish piping now that we've flushed the buffered data
+          setupPiping();
+        });
+      } else {
+        // No pending data, just establish piping immediately
+        setupPiping();
       }
 
       // Clear the buffer now that we've processed it
@@ -1045,14 +912,23 @@ export class PortProxy {
       record.pendingDataSize = 0;
 
       // Add the renegotiation handler for SNI validation with strict domain enforcement
+      // This will be called after we've established piping
       if (serverName) {
         // Define a handler for checking renegotiation with improved detection
         const renegotiationHandler = (renegChunk: Buffer) => {
           // Only process if this looks like a TLS ClientHello
-          if (isClientHello(renegChunk)) {
+          if (SniHandler.isClientHello(renegChunk)) {
             try {
               // Extract SNI from ClientHello
-              const newSNI = extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
+              // Create a connection info object for the existing connection
+              const connInfo = {
+                sourceIp: record.remoteIP,
+                sourcePort: record.incoming.remotePort || 0,
+                destIp: record.incoming.localAddress || '',
+                destPort: record.incoming.localPort || 0
+              };
+              
+              const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, connInfo, this.settings.enableTlsDebugLogging);
 
               // Skip if no SNI was found
               if (!newSNI) return;
@@ -1081,8 +957,13 @@ export class PortProxy {
         // Store the handler in the connection record so we can remove it during cleanup
         record.renegotiationHandler = renegotiationHandler;
 
-        // Add the listener
+        // The renegotiation handler is added when piping is established
+        // Making it part of setupPiping ensures proper sequencing of event handlers
         socket.on('data', renegotiationHandler);
+        
+        if (this.settings.enableDetailedLogging) {
+          console.log(`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`);
+        }
       }
 
       // Set connection timeout with simpler logic
@@ -1242,13 +1123,16 @@ export class PortProxy {
       const bytesReceived = record.bytesReceived;
       const bytesSent = record.bytesSent;
 
-      // Remove the renegotiation handler if present
+      // Remove all data handlers (both standard and renegotiation) to make sure we clean up properly
-      if (record.renegotiationHandler && record.incoming) {
+      if (record.incoming) {
         try {
-          record.incoming.removeListener('data', record.renegotiationHandler);
+          // Remove our safe data handler
+          record.incoming.removeAllListeners('data');
+          
+          // Reset the handler references
           record.renegotiationHandler = undefined;
         } catch (err) {
-          console.log(`[${record.id}] Error removing renegotiation handler: ${err}`);
+          console.log(`[${record.id}] Error removing data handlers: ${err}`);
         }
       }
 
@@ -1644,7 +1528,7 @@ export class PortProxy {
           connectionRecord.hasReceivedInitialData = true;
 
           // Check if this looks like a TLS handshake
-          if (isTlsHandshake(chunk)) {
+          if (SniHandler.isTlsHandshake(chunk)) {
             connectionRecord.isTLS = true;
             
             // Forward directly to NetworkProxy without SNI processing
@@ -1706,7 +1590,7 @@ export class PortProxy {
           this.updateActivity(connectionRecord);
 
           // Check for TLS handshake if this is the first chunk
-          if (!connectionRecord.isTLS && isTlsHandshake(chunk)) {
+          if (!connectionRecord.isTLS && SniHandler.isTlsHandshake(chunk)) {
             connectionRecord.isTLS = true;
 
             if (this.settings.enableTlsDebugLogging) {
@@ -1714,7 +1598,15 @@ export class PortProxy {
                 `[${connectionId}] TLS handshake detected from ${remoteIP}, ${chunk.length} bytes`
               );
               // Try to extract SNI and log detailed debug info
-              extractSNI(chunk, true);
+              // Create connection info for debug logging
+              const debugConnInfo = {
+                sourceIp: remoteIP,
+                sourcePort: socket.remotePort || 0,
+                destIp: socket.localAddress || '',
+                destPort: socket.localPort || 0
+              };
+              
+              SniHandler.extractSNIWithResumptionSupport(chunk, debugConnInfo, true);
             }
           }
         });
@@ -1743,7 +1635,7 @@ export class PortProxy {
           connectionRecord.hasReceivedInitialData = true;
 
           // Check if this looks like a TLS handshake
-          const isTlsHandshakeDetected = initialChunk && isTlsHandshake(initialChunk);
+          const isTlsHandshakeDetected = initialChunk && SniHandler.isTlsHandshake(initialChunk);
           if (isTlsHandshakeDetected) {
             connectionRecord.isTLS = true;
 
@@ -1912,7 +1804,7 @@ export class PortProxy {
             // Try to extract SNI
             let serverName = '';
 
-            if (isTlsHandshake(chunk)) {
+            if (SniHandler.isTlsHandshake(chunk)) {
               connectionRecord.isTLS = true;
 
               if (this.settings.enableTlsDebugLogging) {
@@ -1921,7 +1813,21 @@ export class PortProxy {
                 );
               }
 
-              serverName = extractSNI(chunk, this.settings.enableTlsDebugLogging) || '';
+              // Create connection info object for SNI extraction
+              const connInfo = {
+                sourceIp: remoteIP,
+                sourcePort: socket.remotePort || 0,
+                destIp: socket.localAddress || '',
+                destPort: socket.localPort || 0
+              };
+              
+              // Use the new processTlsPacket method for comprehensive handling
+              serverName = SniHandler.processTlsPacket(
+                chunk, 
+                connInfo,
+                this.settings.enableTlsDebugLogging,
+                connectionRecord.lockedDomain // Pass any previously negotiated domain as a hint
+              ) || '';
             }
 
             // Lock the connection to the negotiated SNI.

ts/classes.snihandler.ts

@@ -0,0 +1,836 @@
+import { Buffer } from 'buffer';
+
+/**
+ * SNI (Server Name Indication) handler for TLS connections.
+ * Provides robust extraction of SNI values from TLS ClientHello messages
+ * with support for fragmented packets, TLS 1.3 resumption, and Chrome-specific
+ * connection behaviors.
+ */
+export class SniHandler {
+  // TLS record types and constants
+  private static readonly TLS_HANDSHAKE_RECORD_TYPE = 22;
+  private static readonly TLS_APPLICATION_DATA_TYPE = 23;  // TLS Application Data record type
+  private static readonly TLS_CLIENT_HELLO_HANDSHAKE_TYPE = 1;
+  private static readonly TLS_SNI_EXTENSION_TYPE = 0x0000;
+  private static readonly TLS_SESSION_TICKET_EXTENSION_TYPE = 0x0023;
+  private static readonly TLS_SNI_HOST_NAME_TYPE = 0;
+  private static readonly TLS_PSK_EXTENSION_TYPE = 0x0029; // Pre-Shared Key extension type for TLS 1.3
+  private static readonly TLS_PSK_KE_MODES_EXTENSION_TYPE = 0x002D; // PSK Key Exchange Modes
+  private static readonly TLS_EARLY_DATA_EXTENSION_TYPE = 0x002A; // Early Data (0-RTT) extension
+  
+  // Buffer for handling fragmented ClientHello messages
+  private static fragmentedBuffers: Map<string, Buffer> = new Map();
+  private static fragmentTimeout: number = 1000; // ms to wait for fragments before cleanup
+
+  /**
+   * Checks if a buffer contains a TLS handshake message (record type 22)
+   * @param buffer - The buffer to check
+   * @returns true if the buffer starts with a TLS handshake record type
+   */
+  public static isTlsHandshake(buffer: Buffer): boolean {
+    return buffer.length > 0 && buffer[0] === this.TLS_HANDSHAKE_RECORD_TYPE;
+  }
+  
+  /**
+   * Checks if a buffer contains TLS application data (record type 23)
+   * @param buffer - The buffer to check
+   * @returns true if the buffer starts with a TLS application data record type
+   */
+  public static isTlsApplicationData(buffer: Buffer): boolean {
+    return buffer.length > 0 && buffer[0] === this.TLS_APPLICATION_DATA_TYPE;
+  }
+  
+  /**
+   * Creates a connection ID based on source/destination information
+   * Used to track fragmented ClientHello messages across multiple packets
+   * 
+   * @param connectionInfo - Object containing connection identifiers (IP/port)
+   * @returns A string ID for the connection
+   */
+  public static createConnectionId(connectionInfo: { 
+    sourceIp?: string; 
+    sourcePort?: number; 
+    destIp?: string; 
+    destPort?: number; 
+  }): string {
+    const { sourceIp, sourcePort, destIp, destPort } = connectionInfo;
+    return `${sourceIp}:${sourcePort}-${destIp}:${destPort}`;
+  }
+  
+  /**
+   * Handles potential fragmented ClientHello messages by buffering and reassembling
+   * TLS record fragments that might span multiple TCP packets.
+   * 
+   * @param buffer - The current buffer fragment
+   * @param connectionId - Unique identifier for the connection
+   * @param enableLogging - Whether to enable logging
+   * @returns A complete buffer if reassembly is successful, or undefined if more fragments are needed
+   */
+  public static handleFragmentedClientHello(
+    buffer: Buffer,
+    connectionId: string,
+    enableLogging: boolean = false
+  ): Buffer | undefined {
+    const log = (message: string) => {
+      if (enableLogging) {
+        console.log(`[SNI Fragment] ${message}`);
+      }
+    };
+    
+    // Check if we've seen this connection before
+    if (!this.fragmentedBuffers.has(connectionId)) {
+      // New connection, start with this buffer
+      this.fragmentedBuffers.set(connectionId, buffer);
+      
+      // Set timeout to clean up if we don't get a complete ClientHello
+      setTimeout(() => {
+        if (this.fragmentedBuffers.has(connectionId)) {
+          this.fragmentedBuffers.delete(connectionId);
+          log(`Connection ${connectionId} timed out waiting for complete ClientHello`);
+        }
+      }, this.fragmentTimeout);
+      
+      // Evaluate if this buffer already contains a complete ClientHello
+      try {
+        if (buffer.length >= 5) {
+          const recordLength = (buffer[3] << 8) + buffer[4];
+          if (buffer.length >= recordLength + 5) {
+            log(`Initial buffer contains complete ClientHello, length: ${buffer.length}`);
+            return buffer;
+          }
+        }
+      } catch (e) {
+        log(`Error checking initial buffer completeness: ${e}`);
+      }
+      
+      log(`Started buffering connection ${connectionId}, initial size: ${buffer.length}`);
+      return undefined; // Need more fragments
+    } else {
+      // Existing connection, append this buffer
+      const existingBuffer = this.fragmentedBuffers.get(connectionId)!;
+      const newBuffer = Buffer.concat([existingBuffer, buffer]);
+      this.fragmentedBuffers.set(connectionId, newBuffer);
+      
+      log(`Appended to buffer for ${connectionId}, new size: ${newBuffer.length}`);
+      
+      // Check if we now have a complete ClientHello
+      try {
+        if (newBuffer.length >= 5) {
+          const recordLength = (newBuffer[3] << 8) + newBuffer[4];
+          if (newBuffer.length >= recordLength + 5) {
+            log(`Assembled complete ClientHello, length: ${newBuffer.length}`);
+            // Complete message received, remove from tracking
+            this.fragmentedBuffers.delete(connectionId);
+            return newBuffer;
+          }
+        }
+      } catch (e) {
+        log(`Error checking reassembled buffer completeness: ${e}`);
+      }
+      
+      return undefined; // Still need more fragments
+    }
+  }
+
+  /**
+   * Checks if a buffer contains a TLS ClientHello message
+   * @param buffer - The buffer to check
+   * @returns true if the buffer appears to be a ClientHello message
+   */
+  public static isClientHello(buffer: Buffer): boolean {
+    // Minimum ClientHello size (TLS record header + handshake header)
+    if (buffer.length < 9) {
+      return false;
+    }
+
+    // Check record type (must be TLS_HANDSHAKE_RECORD_TYPE)
+    if (buffer[0] !== this.TLS_HANDSHAKE_RECORD_TYPE) {
+      return false;
+    }
+
+    // Skip version and length in TLS record header (5 bytes total)
+    // Check handshake type at byte 5 (must be CLIENT_HELLO)
+    return buffer[5] === this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE;
+  }
+
+  /**
+   * Extracts the SNI (Server Name Indication) from a TLS ClientHello message.
+   * Implements robust parsing with support for session resumption edge cases.
+   * 
+   * @param buffer - The buffer containing the TLS ClientHello message
+   * @param enableLogging - Whether to enable detailed debug logging
+   * @returns The extracted server name or undefined if not found
+   */
+  public static extractSNI(buffer: Buffer, enableLogging: boolean = false): string | undefined {
+    // Logging helper
+    const log = (message: string) => {
+      if (enableLogging) {
+        console.log(`[SNI Extraction] ${message}`);
+      }
+    };
+
+    try {
+      // Buffer must be at least 5 bytes (TLS record header)
+      if (buffer.length < 5) {
+        log('Buffer too small for TLS record header');
+        return undefined;
+      }
+
+      // Check record type (must be TLS_HANDSHAKE_RECORD_TYPE = 22)
+      if (buffer[0] !== this.TLS_HANDSHAKE_RECORD_TYPE) {
+        log(`Not a TLS handshake record: ${buffer[0]}`);
+        return undefined;
+      }
+
+      // Check TLS version
+      const majorVersion = buffer[1];
+      const minorVersion = buffer[2];
+      log(`TLS version: ${majorVersion}.${minorVersion}`);
+
+      // Parse record length (bytes 3-4, big-endian)
+      const recordLength = (buffer[3] << 8) + buffer[4];
+      log(`Record length: ${recordLength}`);
+
+      // Validate record length against buffer size
+      if (buffer.length < recordLength + 5) {
+        log('Buffer smaller than expected record length');
+        return undefined;
+      }
+
+      // Start of handshake message in the buffer
+      let pos = 5;
+
+      // Check handshake type (must be CLIENT_HELLO = 1)
+      if (buffer[pos] !== this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE) {
+        log(`Not a ClientHello message: ${buffer[pos]}`);
+        return undefined;
+      }
+
+      // Skip handshake type (1 byte)
+      pos += 1;
+
+      // Parse handshake length (3 bytes, big-endian)
+      const handshakeLength = (buffer[pos] << 16) + (buffer[pos + 1] << 8) + buffer[pos + 2];
+      log(`Handshake length: ${handshakeLength}`);
+
+      // Skip handshake length (3 bytes)
+      pos += 3;
+
+      // Check client version (2 bytes)
+      const clientMajorVersion = buffer[pos];
+      const clientMinorVersion = buffer[pos + 1];
+      log(`Client version: ${clientMajorVersion}.${clientMinorVersion}`);
+
+      // Skip client version (2 bytes)
+      pos += 2;
+
+      // Skip client random (32 bytes)
+      pos += 32;
+
+      // Parse session ID
+      if (pos + 1 > buffer.length) {
+        log('Buffer too small for session ID length');
+        return undefined;
+      }
+
+      const sessionIdLength = buffer[pos];
+      log(`Session ID length: ${sessionIdLength}`);
+
+      // Skip session ID length (1 byte) and session ID
+      pos += 1 + sessionIdLength;
+
+      // Check if we have enough bytes left
+      if (pos + 2 > buffer.length) {
+        log('Buffer too small for cipher suites length');
+        return undefined;
+      }
+
+      // Parse cipher suites length (2 bytes, big-endian)
+      const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
+      log(`Cipher suites length: ${cipherSuitesLength}`);
+
+      // Skip cipher suites length (2 bytes) and cipher suites
+      pos += 2 + cipherSuitesLength;
+
+      // Check if we have enough bytes left
+      if (pos + 1 > buffer.length) {
+        log('Buffer too small for compression methods length');
+        return undefined;
+      }
+
+      // Parse compression methods length (1 byte)
+      const compressionMethodsLength = buffer[pos];
+      log(`Compression methods length: ${compressionMethodsLength}`);
+
+      // Skip compression methods length (1 byte) and compression methods
+      pos += 1 + compressionMethodsLength;
+
+      // Check if we have enough bytes for extensions length
+      if (pos + 2 > buffer.length) {
+        log('No extensions present or buffer too small');
+        return undefined;
+      }
+
+      // Parse extensions length (2 bytes, big-endian)
+      const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
+      log(`Extensions length: ${extensionsLength}`);
+
+      // Skip extensions length (2 bytes)
+      pos += 2;
+
+      // Extensions end position
+      const extensionsEnd = pos + extensionsLength;
+
+      // Check if extensions length is valid
+      if (extensionsEnd > buffer.length) {
+        log('Extensions length exceeds buffer size');
+        return undefined;
+      }
+
+      // Track if we found session tickets (for improved resumption handling)
+      let hasSessionTicket = false;
+      let hasPskExtension = false;
+
+      // Iterate through extensions
+      while (pos + 4 <= extensionsEnd) {
+        // Parse extension type (2 bytes, big-endian)
+        const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
+        log(`Extension type: 0x${extensionType.toString(16).padStart(4, '0')}`);
+
+        // Skip extension type (2 bytes)
+        pos += 2;
+
+        // Parse extension length (2 bytes, big-endian)
+        const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
+        log(`Extension length: ${extensionLength}`);
+
+        // Skip extension length (2 bytes)
+        pos += 2;
+
+        // Check if this is the SNI extension
+        if (extensionType === this.TLS_SNI_EXTENSION_TYPE) {
+          log('Found SNI extension');
+
+          // Ensure we have enough bytes for the server name list
+          if (pos + 2 > extensionsEnd) {
+            log('Extension too small for server name list length');
+            pos += extensionLength; // Skip this extension
+            continue;
+          }
+
+          // Parse server name list length (2 bytes, big-endian)
+          const serverNameListLength = (buffer[pos] << 8) + buffer[pos + 1];
+          log(`Server name list length: ${serverNameListLength}`);
+
+          // Skip server name list length (2 bytes)
+          pos += 2;
+
+          // Ensure server name list length is valid
+          if (pos + serverNameListLength > extensionsEnd) {
+            log('Server name list length exceeds extension size');
+            break; // Exit the loop, extension parsing is broken
+          }
+
+          // End position of server name list
+          const serverNameListEnd = pos + serverNameListLength;
+
+          // Iterate through server names
+          while (pos + 3 <= serverNameListEnd) {
+            // Check name type (must be HOST_NAME_TYPE = 0 for hostname)
+            const nameType = buffer[pos];
+            log(`Name type: ${nameType}`);
+
+            if (nameType !== this.TLS_SNI_HOST_NAME_TYPE) {
+              log(`Unsupported name type: ${nameType}`);
+              pos += 1; // Skip name type (1 byte)
+
+              // Skip name length (2 bytes) and name data
+              if (pos + 2 <= serverNameListEnd) {
+                const nameLength = (buffer[pos] << 8) + buffer[pos + 1];
+                pos += 2 + nameLength;
+              } else {
+                log('Invalid server name entry');
+                break;
+              }
+              continue;
+            }
+
+            // Skip name type (1 byte)
+            pos += 1;
+
+            // Ensure we have enough bytes for name length
+            if (pos + 2 > serverNameListEnd) {
+              log('Server name entry too small for name length');
+              break;
+            }
+
+            // Parse name length (2 bytes, big-endian)
+            const nameLength = (buffer[pos] << 8) + buffer[pos + 1];
+            log(`Name length: ${nameLength}`);
+
+            // Skip name length (2 bytes)
+            pos += 2;
+
+            // Ensure we have enough bytes for the name
+            if (pos + nameLength > serverNameListEnd) {
+              log('Name length exceeds server name list size');
+              break;
+            }
+
+            // Extract server name (hostname)
+            const serverName = buffer.slice(pos, pos + nameLength).toString('utf8');
+            log(`Extracted server name: ${serverName}`);
+            return serverName;
+          }
+        } else if (extensionType === this.TLS_SESSION_TICKET_EXTENSION_TYPE) {
+          // If we encounter a session ticket extension, mark it for later
+          log('Found session ticket extension');
+          hasSessionTicket = true;
+          pos += extensionLength; // Skip this extension
+        } else if (extensionType === this.TLS_PSK_EXTENSION_TYPE) {
+          // TLS 1.3 PSK extension - mark for resumption support
+          log('Found PSK extension (TLS 1.3 resumption indicator)');
+          hasPskExtension = true;
+          // We'll skip the extension here and process it separately if needed
+          pos += extensionLength;
+        } else {
+          // Skip this extension
+          pos += extensionLength;
+        }
+      }
+
+      // Log if we found session resumption indicators but no SNI
+      if (hasSessionTicket || hasPskExtension) {
+        log('Session resumption indicators present but no SNI found');
+      }
+
+      log('No SNI extension found in ClientHello');
+      return undefined;
+    } catch (error) {
+      log(`Error parsing SNI: ${error instanceof Error ? error.message : String(error)}`);
+      return undefined;
+    }
+  }
+
+  /**
+   * Attempts to extract SNI from the PSK extension in a TLS 1.3 ClientHello.
+   * 
+   * In TLS 1.3, when a client attempts to resume a session, it may include 
+   * the server name in the PSK identity hint rather than in the SNI extension.
+   * 
+   * @param buffer - The buffer containing the TLS ClientHello message
+   * @param enableLogging - Whether to enable detailed debug logging
+   * @returns The extracted server name or undefined if not found
+   */
+  public static extractSNIFromPSKExtension(
+    buffer: Buffer,
+    enableLogging: boolean = false
+  ): string | undefined {
+    const log = (message: string) => {
+      if (enableLogging) {
+        console.log(`[PSK-SNI Extraction] ${message}`);
+      }
+    };
+
+    try {
+      // Ensure this is a ClientHello
+      if (!this.isClientHello(buffer)) {
+        log('Not a ClientHello message');
+        return undefined;
+      }
+
+      // Find the start position of extensions
+      let pos = 5; // Start after record header
+      
+      // Skip handshake type (1 byte)
+      pos += 1;
+      
+      // Skip handshake length (3 bytes)
+      pos += 3;
+      
+      // Skip client version (2 bytes)
+      pos += 2;
+      
+      // Skip client random (32 bytes)
+      pos += 32;
+      
+      // Skip session ID
+      if (pos + 1 > buffer.length) return undefined;
+      const sessionIdLength = buffer[pos];
+      pos += 1 + sessionIdLength;
+      
+      // Skip cipher suites
+      if (pos + 2 > buffer.length) return undefined;
+      const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
+      pos += 2 + cipherSuitesLength;
+      
+      // Skip compression methods
+      if (pos + 1 > buffer.length) return undefined;
+      const compressionMethodsLength = buffer[pos];
+      pos += 1 + compressionMethodsLength;
+      
+      // Check if we have extensions
+      if (pos + 2 > buffer.length) {
+        log('No extensions present');
+        return undefined;
+      }
+      
+      // Get extensions length
+      const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
+      pos += 2;
+      
+      // Extensions end position
+      const extensionsEnd = pos + extensionsLength;
+      if (extensionsEnd > buffer.length) return undefined;
+
+      // Look for PSK extension
+      while (pos + 4 <= extensionsEnd) {
+        const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
+        pos += 2;
+        
+        const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
+        pos += 2;
+        
+        if (extensionType === this.TLS_PSK_EXTENSION_TYPE) {
+          log('Found PSK extension');
+          
+          // PSK extension structure:
+          // 2 bytes: identities list length
+          if (pos + 2 > extensionsEnd) break;
+          const identitiesLength = (buffer[pos] << 8) + buffer[pos + 1];
+          pos += 2;
+          
+          // End of identities list
+          const identitiesEnd = pos + identitiesLength;
+          if (identitiesEnd > extensionsEnd) break;
+          
+          // Process each PSK identity
+          while (pos + 2 <= identitiesEnd) {
+            // Identity length (2 bytes)
+            if (pos + 2 > identitiesEnd) break;
+            const identityLength = (buffer[pos] << 8) + buffer[pos + 1];
+            pos += 2;
+            
+            if (pos + identityLength > identitiesEnd) break;
+            
+            // Try to extract hostname from identity
+            // Chrome often embeds the hostname in the PSK identity
+            // This is a heuristic as there's no standard format
+            if (identityLength > 0) {
+              const identity = buffer.slice(pos, pos + identityLength);
+              
+              // Skip identity bytes
+              pos += identityLength;
+              
+              // Skip obfuscated ticket age (4 bytes)
+              pos += 4;
+              
+              // Try to parse the identity as UTF-8
+              try {
+                const identityStr = identity.toString('utf8');
+                log(`PSK identity: ${identityStr}`);
+                
+                // Check if the identity contains hostname hints
+                // Chrome often embeds the hostname in a known format
+                // Try to extract using common patterns
+                
+                // Pattern 1: Look for domain name pattern
+                const domainPattern = /([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/i;
+                const domainMatch = identityStr.match(domainPattern);
+                if (domainMatch && domainMatch[0]) {
+                  log(`Found domain in PSK identity: ${domainMatch[0]}`);
+                  return domainMatch[0];
+                }
+                
+                // Pattern 2: Chrome sometimes uses a specific format with delimiters
+                // This is a heuristic approach since the format isn't standardized
+                const parts = identityStr.split('|');
+                if (parts.length > 1) {
+                  for (const part of parts) {
+                    if (part.includes('.') && !part.includes('/')) {
+                      const possibleDomain = part.trim();
+                      if (/^[a-z0-9.-]+$/i.test(possibleDomain)) {
+                        log(`Found possible domain in PSK delimiter format: ${possibleDomain}`);
+                        return possibleDomain;
+                      }
+                    }
+                  }
+                }
+              } catch (e) {
+                log('Failed to parse PSK identity as UTF-8');
+              }
+            }
+          }
+        } else {
+          // Skip this extension
+          pos += extensionLength;
+        }
+      }
+      
+      log('No hostname found in PSK extension');
+      return undefined;
+    } catch (error) {
+      log(`Error parsing PSK: ${error instanceof Error ? error.message : String(error)}`);
+      return undefined;
+    }
+  }
+
+  /**
+   * Checks if the buffer contains TLS 1.3 early data (0-RTT)
+   * @param buffer - The buffer to check
+   * @param enableLogging - Whether to enable logging
+   * @returns true if early data is detected
+   */
+  public static hasEarlyData(
+    buffer: Buffer,
+    enableLogging: boolean = false
+  ): boolean {
+    const log = (message: string) => {
+      if (enableLogging) {
+        console.log(`[Early Data] ${message}`);
+      }
+    };
+    
+    try {
+      // Check if this is a valid ClientHello first
+      if (!this.isClientHello(buffer)) {
+        return false;
+      }
+      
+      // Find the extensions section
+      let pos = 5; // Start after record header
+      
+      // Skip handshake type (1 byte)
+      pos += 1;
+      
+      // Skip handshake length (3 bytes)
+      pos += 3;
+      
+      // Skip client version (2 bytes)
+      pos += 2;
+      
+      // Skip client random (32 bytes)
+      pos += 32;
+      
+      // Skip session ID
+      if (pos + 1 > buffer.length) return false;
+      const sessionIdLength = buffer[pos];
+      pos += 1 + sessionIdLength;
+      
+      // Skip cipher suites
+      if (pos + 2 > buffer.length) return false;
+      const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
+      pos += 2 + cipherSuitesLength;
+      
+      // Skip compression methods
+      if (pos + 1 > buffer.length) return false;
+      const compressionMethodsLength = buffer[pos];
+      pos += 1 + compressionMethodsLength;
+      
+      // Check if we have extensions
+      if (pos + 2 > buffer.length) return false;
+      
+      // Get extensions length
+      const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
+      pos += 2;
+      
+      // Extensions end position
+      const extensionsEnd = pos + extensionsLength;
+      if (extensionsEnd > buffer.length) return false;
+      
+      // Look for early data extension
+      while (pos + 4 <= extensionsEnd) {
+        const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
+        pos += 2;
+        
+        const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
+        pos += 2;
+        
+        if (extensionType === this.TLS_EARLY_DATA_EXTENSION_TYPE) {
+          log('Early Data (0-RTT) extension detected');
+          return true;
+        }
+        
+        // Skip to next extension
+        pos += extensionLength;
+      }
+      
+      return false;
+    } catch (error) {
+      log(`Error checking for early data: ${error}`);
+      return false;
+    }
+  }
+  
+  /**
+   * Attempts to extract SNI from an initial ClientHello packet and handles
+   * session resumption edge cases more robustly than the standard extraction.
+   * 
+   * This method handles:
+   * 1. Standard SNI extraction
+   * 2. TLS 1.3 PSK-based resumption (Chrome, Firefox, etc.)
+   * 3. Session ticket-based resumption
+   * 4. Fragmented ClientHello messages
+   * 5. TLS 1.3 Early Data (0-RTT)
+   * 6. Chrome's connection racing behaviors
+   * 
+   * @param buffer - The buffer containing the TLS ClientHello message
+   * @param connectionInfo - Optional connection information for fragment handling
+   * @param enableLogging - Whether to enable detailed debug logging
+   * @returns The extracted server name or undefined if not found
+   */
+  public static extractSNIWithResumptionSupport(
+    buffer: Buffer,
+    connectionInfo?: { 
+      sourceIp?: string; 
+      sourcePort?: number; 
+      destIp?: string; 
+      destPort?: number; 
+    },
+    enableLogging: boolean = false
+  ): string | undefined {
+    const log = (message: string) => {
+      if (enableLogging) {
+        console.log(`[SNI Extraction] ${message}`);
+      }
+    };
+    
+    // Check if we need to handle fragmented packets
+    let processBuffer = buffer;
+    if (connectionInfo) {
+      const connectionId = this.createConnectionId(connectionInfo);
+      const reassembledBuffer = this.handleFragmentedClientHello(
+        buffer, 
+        connectionId, 
+        enableLogging
+      );
+      
+      if (!reassembledBuffer) {
+        log(`Waiting for more fragments on connection ${connectionId}`);
+        return undefined; // Need more fragments to complete ClientHello
+      }
+      
+      processBuffer = reassembledBuffer;
+      log(`Using reassembled buffer of length ${processBuffer.length}`);
+    }
+    
+    // First try the standard SNI extraction
+    const standardSni = this.extractSNI(processBuffer, enableLogging);
+    if (standardSni) {
+      log(`Found standard SNI: ${standardSni}`);
+      return standardSni;
+    }
+    
+    // Check for TLS 1.3 early data (0-RTT)
+    const hasEarly = this.hasEarlyData(processBuffer, enableLogging);
+    if (hasEarly) {
+      log('TLS 1.3 Early Data detected, using special handling');
+      // In 0-RTT, Chrome often relies on server remembering the SNI from previous sessions
+      // We could implement session tracking here if necessary
+    }
+    
+    // If standard extraction failed and we have a valid ClientHello,
+    // this might be a session resumption with non-standard format
+    if (this.isClientHello(processBuffer)) {
+      log('Detected ClientHello without standard SNI, possible session resumption');
+      
+      // Try to extract from PSK extension (TLS 1.3 resumption)
+      const pskSni = this.extractSNIFromPSKExtension(processBuffer, enableLogging);
+      if (pskSni) {
+        log(`Extracted SNI from PSK extension: ${pskSni}`);
+        return pskSni;
+      }
+      
+      // Special handling for Chrome connection racing
+      // Chrome often opens multiple connections in parallel with different
+      // characteristics to improve performance
+      // Here we would look for specific patterns in ClientHello that indicate
+      // it's part of a connection race
+      
+      // Detect if this is likely a secondary connection in a race
+      // by examining the cipher suites and extensions
+      // This would require session state tracking across connections
+      
+      log('Failed to extract SNI from resumption mechanisms');
+    }
+    
+    return undefined;
+  }
+  
+  /**
+   * Main entry point for SNI extraction that handles all edge cases.
+   * This should be called for each TLS packet received from a client.
+   * 
+   * The method uses connection tracking to handle fragmented ClientHello
+   * messages and various TLS 1.3 behaviors, including Chrome's connection
+   * racing patterns.
+   * 
+   * @param buffer - The buffer containing TLS data
+   * @param connectionInfo - Connection metadata (IPs and ports)
+   * @param enableLogging - Whether to enable detailed debug logging
+   * @param cachedSni - Optional cached SNI from previous connections (for racing detection)
+   * @returns The extracted server name or undefined if not found or more data needed
+   */
+  public static processTlsPacket(
+    buffer: Buffer,
+    connectionInfo: {
+      sourceIp: string;
+      sourcePort: number;
+      destIp: string;
+      destPort: number;
+      timestamp?: number;
+    },
+    enableLogging: boolean = false,
+    cachedSni?: string
+  ): string | undefined {
+    const log = (message: string) => {
+      if (enableLogging) {
+        console.log(`[TLS Packet] ${message}`);
+      }
+    };
+    
+    // Add timestamp if not provided
+    if (!connectionInfo.timestamp) {
+      connectionInfo.timestamp = Date.now();
+    }
+    
+    // Check if this is a TLS handshake
+    if (!this.isTlsHandshake(buffer) && !this.isTlsApplicationData(buffer)) {
+      log('Not a TLS handshake or application data packet');
+      return undefined;
+    }
+    
+    // Create connection ID for tracking
+    const connectionId = this.createConnectionId(connectionInfo);
+    log(`Processing TLS packet for connection ${connectionId}, buffer length: ${buffer.length}`);
+    
+    // Handle special case: if we already have a cached SNI from a previous
+    // connection from the same client IP within a short time window,
+    // this might be a connection racing situation
+    if (cachedSni && this.isTlsApplicationData(buffer)) {
+      log(`Using cached SNI from connection racing: ${cachedSni}`);
+      return cachedSni;
+    }
+    
+    // Try to extract SNI with full resumption support and fragment handling
+    const sni = this.extractSNIWithResumptionSupport(
+      buffer,
+      connectionInfo,
+      enableLogging
+    );
+    
+    if (sni) {
+      log(`Successfully extracted SNI: ${sni}`);
+      return sni;
+    }
+    
+    // If we couldn't extract an SNI, check if this is a valid ClientHello
+    // If it is, but we couldn't get an SNI, it might be a fragment or
+    // a connection race situation
+    if (this.isClientHello(buffer)) {
+      log('Valid ClientHello detected, but no SNI extracted - might need more data');
+    }
+    
+    return undefined;
+  }
+}

ts/index.ts

@@ -3,3 +3,4 @@ export * from './classes.networkproxy.js';
 export * from './classes.portproxy.js';
 export * from './classes.port80handler.js';
 export * from './classes.sslredirect.js';
+export * from './classes.snihandler.js';