3.41.6

changelog.md

@@ -1,5 +1,114 @@
 # Changelog
 
+## 2025-03-12 - 3.41.6 - fix(SniHandler)
+Refactor SniHandler: update whitespace, comment formatting, and consistent type definitions
+
+- Unified inline comment style and spacing in SniHandler
+- Refactored session cache type declaration for clarity
+- Adjusted buffer length calculations to include TLS record header consistently
+- Minor improvements to logging messages during ClientHello reassembly and SNI extraction
+
+## 2025-03-12 - 3.41.5 - fix(portproxy)
+Enforce TLS handshake and SNI validation on port 443 by blocking non-TLS connections and terminating session resumption attempts without SNI when allowSessionTicket is disabled.
+
+- Added explicit check to block non-TLS connections on port 443 to ensure proper TLS usage.
+- Enhanced logging for TLS ClientHello to include details on SNI extraction and session resumption status.
+- Terminate connections with missing SNI by setting termination reasons ('session_ticket_blocked' or 'no_sni_blocked').
+- Ensured consistent rejection of non-TLS handshakes on standard HTTPS port.
+
+## 2025-03-12 - 3.41.4 - fix(tls/sni)
+Improve logging for TLS session resumption by extracting and logging SNI values from ClientHello messages.
+
+- Added logging to output the extracted SNI value during renegotiation, initial ClientHello and in the SNI handler.
+- Enhanced error handling during SNI extraction to aid troubleshooting of TLS session resumption issues.
+
+## 2025-03-12 - 3.41.3 - fix(TLS/SNI)
+Improve TLS session resumption handling and logging. Now, session resumption attempts are always logged with details, and connections without a proper SNI are rejected when allowSessionTicket is disabled. In addition, empty SNI extensions are explicitly treated as missing, ensuring stricter and more consistent TLS handshake validation.
+
+- Always log session resumption in both renegotiation and initial ClientHello processing.
+- Terminate connections that attempt session resumption without SNI when allowSessionTicket is false.
+- Treat empty SNI extensions as absence of SNI to improve consistency in TLS handshake processing.
+
+## 2025-03-11 - 3.41.2 - fix(SniHandler)
+Refactor hasSessionResumption to return detailed session resumption info
+
+- Changed the return type of hasSessionResumption from boolean to an object with properties isResumption and hasSNI
+- Updated early return conditions to return { isResumption: false, hasSNI: false } when buffer is too short or invalid
+- Modified corresponding documentation to reflect the new return type
+
+## 2025-03-11 - 3.41.1 - fix(SniHandler)
+Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.
+
+- Changed SniHandler.hasSessionResumption to return an object with 'isResumption' and 'hasSNI' flags.
+- Adjusted PortProxy logic to only terminate connections when a session ticket is detected without an accompanying SNI (when allowSessionTicket is false).
+- Enhanced debug logging to clearly differentiate between session resumption scenarios with and without SNI.
+
+## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS)
+Add allowSessionTicket option to control TLS session ticket handling
+
+- Introduce 'allowSessionTicket' flag (default true) in PortProxy settings to enable or disable TLS session resumption via session tickets.
+- Update SniHandler with a new hasSessionResumption method to detect session ticket and PSK extensions in ClientHello messages.
+- Force connection cleanup during renegotiation and initial handshake when allowSessionTicket is set to false and a session ticket is detected.
+
+## 2025-03-11 - 3.40.0 - feat(SniHandler)
+Add session cache support and tab reactivation detection to improve SNI extraction in TLS handshakes
+
+- Introduce a session cache mechanism to store and retrieve cached SNI values based on client IP (and optionally client random) to better handle tab reactivation scenarios.
+- Implement functions to initialize, update, and clean up the session cache for TLS ClientHello messages.
+- Enhance SNI extraction logic to check for tab reactivation handshakes and to return cached SNI for resumed connections or 0-RTT scenarios.
+- Update PSK extension handling to safely skip over obfuscated ticket age bytes.
+
+## 2025-03-11 - 3.39.0 - feat(PortProxy)
+Add domain-specific NetworkProxy integration support to PortProxy
+
+- Introduced new properties 'useNetworkProxy' and 'networkProxyPort' in domain configurations.
+- Updated forwardToNetworkProxy to accept an optional custom proxy port parameter.
+- Enhanced TLS handshake processing to extract SNI and, if a matching domain config specifies NetworkProxy usage, forward the connection using the domain-specific port.
+- Refined connection routing logic to check for domain-specific NetworkProxy settings before falling back to default behavior.
+
+## 2025-03-11 - 3.38.2 - fix(core)
+No code changes detected; bumping patch version for consistency.
+
+
+## 2025-03-11 - 3.38.1 - fix(PortProxy)
+Improve SNI extraction handling in PortProxy by passing explicit connection info to extractSNIWithResumptionSupport for better TLS renegotiation and debug logging.
+
+- In the renegotiation handler, create and pass a connection info object (sourceIp, sourcePort, destIp, destPort) instead of a boolean flag.
+- Update the TLS handshake processing to construct a connection info object for detailed SNI extraction and logging.
+- Enhance consistency by using processTlsPacket with cached SNI hints during fallback.
+
+## 2025-03-11 - 3.38.0 - feat(SniHandler)
+Enhance SNI extraction to support fragmented ClientHello messages, TLS 1.3 early data, and improved PSK parsing
+
+- Added isTlsApplicationData method for detecting TLS application data packets
+- Implemented handleFragmentedClientHello to buffer and reassemble fragmented ClientHello messages
+- Extended extractSNIWithResumptionSupport to accept connection information and use reassembled data
+- Added detection for TLS 1.3 early data (0-RTT) in the ClientHello, supporting session resumption scenarios
+- Improved logging and heuristics for handling potential connection racing in modern browsers
+
+## 2025-03-11 - 3.37.3 - fix(snihandler)
+Enhance SNI extraction to support TLS 1.3 PSK-based session resumption by adding a dedicated extractSNIFromPSKExtension method and improved logging for session resumption indicators.
+
+- Defined TLS_PSK_EXTENSION_TYPE and TLS_PSK_KE_MODES_EXTENSION_TYPE constants.
+- Added extractSNIFromPSKExtension method to handle ClientHello messages containing PSK identities.
+- Improved logging to indicate when session resumption indicators (ticket or PSK) are present but no standard SNI is found.
+- Enhanced extractSNIWithResumptionSupport to attempt PSK extraction if standard SNI extraction fails.
+
+## 2025-03-11 - 3.37.2 - fix(PortProxy)
+Improve buffering and data handling during connection setup in PortProxy to prevent data loss
+
+- Added a safeDataHandler and processDataQueue to buffer incoming data reliably during the TLS handshake phase
+- Introduced a queue with pause/resume logic to avoid exceeding maxPendingDataSize and ensure all pending data is flushed before piping begins
+- Refactored the piping setup to install the renegotiation handler only after proper data flushing
+
+## 2025-03-11 - 3.37.1 - fix(PortProxy/SNI)
+Refactor SNI extraction in PortProxy to use the dedicated SniHandler class
+
+- Removed local SNI extraction and handshake detection functions from classes.portproxy.ts
+- Introduced a standalone SniHandler class in ts/classes.snihandler.ts for robust SNI extraction and improved logging
+- Replaced inlined calls to isTlsHandshake and extractSNI with calls to SniHandler methods
+- Ensured consistency in handling TLS ClientHello messages across the codebase
+
 ## 2025-03-11 - 3.37.0 - feat(portproxy)
 Add ACME certificate management options to PortProxy, update ACME settings handling, and bump dependency versions
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.37.0",
+  "version": "3.41.6",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.37.0',
+  version: '3.41.6',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }

ts/classes.portproxy.ts

@@ -1,5 +1,6 @@
 import * as plugins from './plugins.js';
 import { NetworkProxy } from './classes.networkproxy.js';
+import { SniHandler } from './classes.snihandler.js';
 
 /** Domain configuration with per-domain allowed port ranges */
 export interface IDomainConfig {
@@ -10,6 +11,10 @@ export interface IDomainConfig {
   portRanges?: Array<{ from: number; to: number }>; // Optional port ranges
   // Allow domain-specific timeout override
   connectionTimeout?: number; // Connection timeout override (ms)
+  
+  // NetworkProxy integration options for this specific domain
+  useNetworkProxy?: boolean; // Whether to use NetworkProxy for this domain
+  networkProxyPort?: number; // Override default NetworkProxy port for this domain
 }
 
 /** Port proxy settings including global allowed port ranges */
@@ -46,6 +51,7 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
   enableDetailedLogging?: boolean; // Enable detailed connection logging
   enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
   enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
+  allowSessionTicket?: boolean; // Allow TLS session ticket for reconnection (default: true)
 
   // Rate limiting and security
   maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
@@ -117,192 +123,8 @@ interface IConnectionRecord {
   domainSwitches?: number; // Number of times the domain has been switched on this connection
 }
 
-/**
+// SNI functions are now imported from SniHandler class
- * Extracts the SNI (Server Name Indication) from a TLS ClientHello packet.
+// No need for wrapper functions
- * Enhanced for robustness and detailed logging.
- * @param buffer - Buffer containing the TLS ClientHello.
- * @param enableLogging - Whether to enable detailed logging.
- * @returns The server name if found, otherwise undefined.
- */
-function extractSNI(buffer: Buffer, enableLogging: boolean = false): string | undefined {
-  try {
-    // Check if buffer is too small for TLS
-    if (buffer.length < 5) {
-      if (enableLogging) console.log('Buffer too small for TLS header');
-      return undefined;
-    }
-
-    // Check record type (has to be handshake - 22)
-    const recordType = buffer.readUInt8(0);
-    if (recordType !== 22) {
-      if (enableLogging) console.log(`Not a TLS handshake. Record type: ${recordType}`);
-      return undefined;
-    }
-
-    // Check TLS version (has to be 3.1 or higher)
-    const majorVersion = buffer.readUInt8(1);
-    const minorVersion = buffer.readUInt8(2);
-    if (enableLogging) console.log(`TLS Version: ${majorVersion}.${minorVersion}`);
-
-    // Check record length
-    const recordLength = buffer.readUInt16BE(3);
-    if (buffer.length < 5 + recordLength) {
-      if (enableLogging)
-        console.log(
-          `Buffer too small for TLS record. Expected: ${5 + recordLength}, Got: ${buffer.length}`
-        );
-      return undefined;
-    }
-
-    let offset = 5;
-    const handshakeType = buffer.readUInt8(offset);
-    if (handshakeType !== 1) {
-      if (enableLogging) console.log(`Not a ClientHello. Handshake type: ${handshakeType}`);
-      return undefined;
-    }
-
-    offset += 4; // Skip handshake header (type + length)
-
-    // Client version
-    const clientMajorVersion = buffer.readUInt8(offset);
-    const clientMinorVersion = buffer.readUInt8(offset + 1);
-    if (enableLogging) console.log(`Client Version: ${clientMajorVersion}.${clientMinorVersion}`);
-
-    offset += 2 + 32; // Skip client version and random
-
-    // Session ID
-    const sessionIDLength = buffer.readUInt8(offset);
-    if (enableLogging) console.log(`Session ID Length: ${sessionIDLength}`);
-    offset += 1 + sessionIDLength; // Skip session ID
-
-    // Cipher suites
-    if (offset + 2 > buffer.length) {
-      if (enableLogging) console.log('Buffer too small for cipher suites length');
-      return undefined;
-    }
-    const cipherSuitesLength = buffer.readUInt16BE(offset);
-    if (enableLogging) console.log(`Cipher Suites Length: ${cipherSuitesLength}`);
-    offset += 2 + cipherSuitesLength; // Skip cipher suites
-
-    // Compression methods
-    if (offset + 1 > buffer.length) {
-      if (enableLogging) console.log('Buffer too small for compression methods length');
-      return undefined;
-    }
-    const compressionMethodsLength = buffer.readUInt8(offset);
-    if (enableLogging) console.log(`Compression Methods Length: ${compressionMethodsLength}`);
-    offset += 1 + compressionMethodsLength; // Skip compression methods
-
-    // Extensions
-    if (offset + 2 > buffer.length) {
-      if (enableLogging) console.log('Buffer too small for extensions length');
-      return undefined;
-    }
-    const extensionsLength = buffer.readUInt16BE(offset);
-    if (enableLogging) console.log(`Extensions Length: ${extensionsLength}`);
-    offset += 2;
-    const extensionsEnd = offset + extensionsLength;
-
-    if (extensionsEnd > buffer.length) {
-      if (enableLogging)
-        console.log(
-          `Buffer too small for extensions. Expected end: ${extensionsEnd}, Buffer length: ${buffer.length}`
-        );
-      return undefined;
-    }
-
-    // Parse extensions
-    while (offset + 4 <= extensionsEnd) {
-      const extensionType = buffer.readUInt16BE(offset);
-      const extensionLength = buffer.readUInt16BE(offset + 2);
-
-      if (enableLogging)
-        console.log(`Extension Type: 0x${extensionType.toString(16)}, Length: ${extensionLength}`);
-
-      offset += 4;
-
-      if (extensionType === 0x0000) {
-        // SNI extension
-        if (offset + 2 > buffer.length) {
-          if (enableLogging) console.log('Buffer too small for SNI list length');
-          return undefined;
-        }
-
-        const sniListLength = buffer.readUInt16BE(offset);
-        if (enableLogging) console.log(`SNI List Length: ${sniListLength}`);
-        offset += 2;
-        const sniListEnd = offset + sniListLength;
-
-        if (sniListEnd > buffer.length) {
-          if (enableLogging)
-            console.log(
-              `Buffer too small for SNI list. Expected end: ${sniListEnd}, Buffer length: ${buffer.length}`
-            );
-          return undefined;
-        }
-
-        while (offset + 3 < sniListEnd) {
-          const nameType = buffer.readUInt8(offset++);
-          const nameLen = buffer.readUInt16BE(offset);
-          offset += 2;
-
-          if (enableLogging) console.log(`Name Type: ${nameType}, Name Length: ${nameLen}`);
-
-          if (nameType === 0) {
-            // host_name
-            if (offset + nameLen > buffer.length) {
-              if (enableLogging)
-                console.log(
-                  `Buffer too small for hostname. Expected: ${offset + nameLen}, Got: ${
-                    buffer.length
-                  }`
-                );
-              return undefined;
-            }
-
-            const serverName = buffer.toString('utf8', offset, offset + nameLen);
-            if (enableLogging) console.log(`Extracted SNI: ${serverName}`);
-            return serverName;
-          }
-
-          offset += nameLen;
-        }
-        break;
-      } else {
-        offset += extensionLength;
-      }
-    }
-
-    if (enableLogging) console.log('No SNI extension found');
-    return undefined;
-  } catch (err) {
-    console.log(`Error extracting SNI: ${err}`);
-    return undefined;
-  }
-}
-
-/**
- * Checks if a TLS record is a proper ClientHello message (more accurate than just checking record type)
- * @param buffer - Buffer containing the TLS record
- * @returns true if the buffer contains a proper ClientHello message
- */
-function isClientHello(buffer: Buffer): boolean {
-  try {
-    if (buffer.length < 9) return false; // Too small for a proper ClientHello
-
-    // Check record type (has to be handshake - 22)
-    if (buffer.readUInt8(0) !== 22) return false;
-
-    // After the TLS record header (5 bytes), check the handshake type (1 for ClientHello)
-    if (buffer.readUInt8(5) !== 1) return false;
-
-    // Basic checks passed, this appears to be a ClientHello
-    return true;
-  } catch (err) {
-    console.log(`Error checking for ClientHello: ${err}`);
-    return false;
-  }
-}
 
 // Helper: Check if a port falls within any of the given port ranges
 const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
@@ -346,10 +168,7 @@ const generateConnectionId = (): string => {
   return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
 };
 
-// Helper: Check if a buffer contains a TLS handshake
+// SNI functions are now imported from SniHandler class
-const isTlsHandshake = (buffer: Buffer): boolean => {
-  return buffer.length > 0 && buffer[0] === 22; // ContentType.handshake
-};
 
 // Helper: Ensure timeout values don't exceed Node.js max safe integer
 const ensureSafeTimeout = (timeout: number): number => {
@@ -418,6 +237,8 @@ export class PortProxy {
       enableDetailedLogging: settingsArg.enableDetailedLogging || false,
       enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
       enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
+      allowSessionTicket: settingsArg.allowSessionTicket !== undefined 
+                         ? settingsArg.allowSessionTicket : true,
 
       // Rate limiting defaults
       maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
@@ -638,12 +459,14 @@ export class PortProxy {
    * @param socket - The incoming client socket
    * @param record - The connection record
    * @param initialData - Initial data chunk (TLS ClientHello)
+   * @param customProxyPort - Optional custom port for NetworkProxy (for domain-specific settings)
    */
   private forwardToNetworkProxy(
     connectionId: string,
     socket: plugins.net.Socket,
     record: IConnectionRecord,
-    initialData: Buffer
+    initialData: Buffer,
+    customProxyPort?: number
   ): void {
     // Ensure NetworkProxy is initialized
     if (!this.networkProxy) {
@@ -661,7 +484,8 @@ export class PortProxy {
       );
     }
 
-    const proxyPort = this.networkProxy.getListeningPort();
+    // Use the custom port if provided, otherwise use the default NetworkProxy port
+    const proxyPort = customProxyPort || this.networkProxy.getListeningPort();
     const proxyHost = 'localhost'; // Assuming NetworkProxy runs locally
 
     if (this.settings.enableDetailedLogging) {
@@ -752,44 +576,104 @@ export class PortProxy {
       connectionOptions.localAddress = record.remoteIP.replace('::ffff:', '');
     }
 
+    // Create a safe queue for incoming data using a Buffer array
+    // We'll use this to ensure we don't lose data during handler transitions
+    const dataQueue: Buffer[] = [];
+    let queueSize = 0;
+    let processingQueue = false;
+    let drainPending = false;
+    
+    // Flag to track if we've switched to the final piping mechanism
+    // Once this is true, we no longer buffer data in dataQueue
+    let pipingEstablished = false;
+    
     // Pause the incoming socket to prevent buffer overflows
+    // This ensures we control the flow of data until piping is set up
     socket.pause();
 
-    // Temporary handler to collect data during connection setup
+    // Function to safely process the data queue without losing events
-    const tempDataHandler = (chunk: Buffer) => {
+    const processDataQueue = () => {
-      // Track bytes received
+      if (processingQueue || dataQueue.length === 0 || pipingEstablished) return;
-      record.bytesReceived += chunk.length;
+      
+      processingQueue = true;
+      
+      try {
+        // Process all queued chunks with the current active handler
+        while (dataQueue.length > 0) {
+          const chunk = dataQueue.shift()!;
+          queueSize -= chunk.length;
+          
+          // Once piping is established, we shouldn't get here,
+          // but just in case, pass to the outgoing socket directly
+          if (pipingEstablished && record.outgoing) {
+            record.outgoing.write(chunk);
+            continue;
+          }
+          
+          // Track bytes received
+          record.bytesReceived += chunk.length;
 
-      // Check for TLS handshake
+          // Check for TLS handshake
-      if (!record.isTLS && isTlsHandshake(chunk)) {
+          if (!record.isTLS && SniHandler.isTlsHandshake(chunk)) {
-        record.isTLS = true;
+            record.isTLS = true;
 
-        if (this.settings.enableTlsDebugLogging) {
+            if (this.settings.enableTlsDebugLogging) {
-          console.log(
+              console.log(
-            `[${connectionId}] TLS handshake detected in tempDataHandler, ${chunk.length} bytes`
+                `[${connectionId}] TLS handshake detected in tempDataHandler, ${chunk.length} bytes`
-          );
+              );
+            }
+          }
+
+          // Check if adding this chunk would exceed the buffer limit
+          const newSize = record.pendingDataSize + chunk.length;
+
+          if (this.settings.maxPendingDataSize && newSize > this.settings.maxPendingDataSize) {
+            console.log(
+              `[${connectionId}] Buffer limit exceeded for connection from ${record.remoteIP}: ${newSize} bytes > ${this.settings.maxPendingDataSize} bytes`
+            );
+            socket.end(); // Gracefully close the socket
+            this.initiateCleanupOnce(record, 'buffer_limit_exceeded');
+            return;
+          }
+
+          // Buffer the chunk and update the size counter
+          record.pendingData.push(Buffer.from(chunk));
+          record.pendingDataSize = newSize;
+          this.updateActivity(record);
+        }
+      } finally {
+        processingQueue = false;
+        
+        // If there's a pending drain and we've processed everything,
+        // signal we're ready for more data if we haven't established piping yet
+        if (drainPending && dataQueue.length === 0 && !pipingEstablished) {
+          drainPending = false;
+          socket.resume();
         }
       }
-
-      // Check if adding this chunk would exceed the buffer limit
-      const newSize = record.pendingDataSize + chunk.length;
-
-      if (this.settings.maxPendingDataSize && newSize > this.settings.maxPendingDataSize) {
-        console.log(
-          `[${connectionId}] Buffer limit exceeded for connection from ${record.remoteIP}: ${newSize} bytes > ${this.settings.maxPendingDataSize} bytes`
-        );
-        socket.end(); // Gracefully close the socket
-        return this.initiateCleanupOnce(record, 'buffer_limit_exceeded');
-      }
-
-      // Buffer the chunk and update the size counter
-      record.pendingData.push(Buffer.from(chunk));
-      record.pendingDataSize = newSize;
-      this.updateActivity(record);
     };
 
-    // Add the temp handler to capture all incoming data during connection setup
+    // Unified data handler that safely queues incoming data
-    socket.on('data', tempDataHandler);
+    const safeDataHandler = (chunk: Buffer) => {
+      // If piping is already established, just let the pipe handle it
+      if (pipingEstablished) return;
+      
+      // Add to our queue for orderly processing
+      dataQueue.push(Buffer.from(chunk)); // Make a copy to be safe
+      queueSize += chunk.length;
+      
+      // If queue is getting large, pause socket until we catch up
+      if (this.settings.maxPendingDataSize && queueSize > this.settings.maxPendingDataSize * 0.8) {
+        socket.pause();
+        drainPending = true;
+      }
+      
+      // Process the queue
+      processDataQueue();
+    };
+
+    // Add our safe data handler
+    socket.on('data', safeDataHandler);
 
     // Add initial chunk to pending data if present
     if (initialChunk) {
@@ -962,56 +846,32 @@ export class PortProxy {
       // Add the normal error handler for established connections
       targetSocket.on('error', this.handleError('outgoing', record));
 
-      // Remove temporary data handler
+      // Process any remaining data in the queue before switching to piping
-      socket.removeListener('data', tempDataHandler);
+      processDataQueue();
-
+      
-      // Flush all pending data to target
+      // Setup function to establish piping - we'll use this after flushing data
-      if (record.pendingData.length > 0) {
+      const setupPiping = () => {
-        const combinedData = Buffer.concat(record.pendingData);
+        // Mark that we're switching to piping mode
-        targetSocket.write(combinedData, (err) => {
+        pipingEstablished = true;
-          if (err) {
+        
-            console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
+        // Setup piping in both directions
-            return this.initiateCleanupOnce(record, 'write_error');
-          }
-
-          // Now set up piping for future data and resume the socket
-          socket.pipe(targetSocket);
-          targetSocket.pipe(socket);
-          socket.resume(); // Resume the socket after piping is established
-
-          if (this.settings.enableDetailedLogging) {
-            console.log(
-              `[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
-                `${
-                  serverName
-                    ? ` (SNI: ${serverName})`
-                    : domainConfig
-                    ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
-                    : ''
-                }` +
-                ` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
-                  record.hasKeepAlive ? 'Yes' : 'No'
-                }`
-            );
-          } else {
-            console.log(
-              `Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
-                `${
-                  serverName
-                    ? ` (SNI: ${serverName})`
-                    : domainConfig
-                    ? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
-                    : ''
-                }`
-            );
-          }
-        });
-      } else {
-        // No pending data, so just set up piping
         socket.pipe(targetSocket);
         targetSocket.pipe(socket);
-        socket.resume(); // Resume the socket after piping is established
+        
-
+        // Resume the socket to ensure data flows
+        socket.resume();
+        
+        // Process any data that might be queued in the interim
+        if (dataQueue.length > 0) {
+          // Write any remaining queued data directly to the target socket
+          for (const chunk of dataQueue) {
+            targetSocket.write(chunk);
+          }
+          // Clear the queue
+          dataQueue.length = 0;
+          queueSize = 0;
+        }
+          
         if (this.settings.enableDetailedLogging) {
           console.log(
             `[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
@@ -1038,6 +898,23 @@ export class PortProxy {
               }`
           );
         }
+      };
+
+      // Flush all pending data to target
+      if (record.pendingData.length > 0) {
+        const combinedData = Buffer.concat(record.pendingData);
+        targetSocket.write(combinedData, (err) => {
+          if (err) {
+            console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
+            return this.initiateCleanupOnce(record, 'write_error');
+          }
+
+          // Establish piping now that we've flushed the buffered data
+          setupPiping();
+        });
+      } else {
+        // No pending data, just establish piping immediately
+        setupPiping();
       }
 
       // Clear the buffer now that we've processed it
@@ -1045,14 +922,58 @@ export class PortProxy {
       record.pendingDataSize = 0;
 
       // Add the renegotiation handler for SNI validation with strict domain enforcement
+      // This will be called after we've established piping
       if (serverName) {
         // Define a handler for checking renegotiation with improved detection
         const renegotiationHandler = (renegChunk: Buffer) => {
           // Only process if this looks like a TLS ClientHello
-          if (isClientHello(renegChunk)) {
+          if (SniHandler.isClientHello(renegChunk)) {
             try {
               // Extract SNI from ClientHello
-              const newSNI = extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
+              // Create a connection info object for the existing connection
+              const connInfo = {
+                sourceIp: record.remoteIP,
+                sourcePort: record.incoming.remotePort || 0,
+                destIp: record.incoming.localAddress || '',
+                destPort: record.incoming.localPort || 0
+              };
+              
+              // Check for session tickets if allowSessionTicket is disabled
+              if (this.settings.allowSessionTicket === false) {
+                // Analyze for session resumption attempt (session ticket or PSK)
+                const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
+                
+                if (resumptionInfo.isResumption) {
+                  // Always log resumption attempt for easier debugging
+                  // Try to extract SNI for logging
+                  const extractedSNI = SniHandler.extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
+                  console.log(
+                    `[${connectionId}] Session resumption detected in renegotiation. ` +
+                    `Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
+                    `SNI value: ${extractedSNI || 'None'}, ` +
+                    `allowSessionTicket: ${this.settings.allowSessionTicket}`
+                  );
+                  
+                  // Block if there's session resumption without SNI
+                  if (!resumptionInfo.hasSNI) {
+                    console.log(
+                      `[${connectionId}] Session resumption detected in renegotiation without SNI and allowSessionTicket=false. ` +
+                      `Terminating connection to force new TLS handshake.`
+                    );
+                    this.initiateCleanupOnce(record, 'session_ticket_blocked');
+                    return;
+                  } else {
+                    if (this.settings.enableDetailedLogging) {
+                      console.log(
+                        `[${connectionId}] Session resumption with SNI detected in renegotiation. ` +
+                        `Allowing connection since SNI is present.`
+                      );
+                    }
+                  }
+                }
+              }
+              
+              const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, connInfo, this.settings.enableTlsDebugLogging);
 
               // Skip if no SNI was found
               if (!newSNI) return;
@@ -1081,8 +1002,16 @@ export class PortProxy {
         // Store the handler in the connection record so we can remove it during cleanup
         record.renegotiationHandler = renegotiationHandler;
 
-        // Add the listener
+        // The renegotiation handler is added when piping is established
+        // Making it part of setupPiping ensures proper sequencing of event handlers
         socket.on('data', renegotiationHandler);
+        
+        if (this.settings.enableDetailedLogging) {
+          console.log(`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`);
+          if (this.settings.allowSessionTicket === false) {
+            console.log(`[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`);
+          }
+        }
       }
 
       // Set connection timeout with simpler logic
@@ -1242,13 +1171,16 @@ export class PortProxy {
       const bytesReceived = record.bytesReceived;
       const bytesSent = record.bytesSent;
 
-      // Remove the renegotiation handler if present
+      // Remove all data handlers (both standard and renegotiation) to make sure we clean up properly
-      if (record.renegotiationHandler && record.incoming) {
+      if (record.incoming) {
         try {
-          record.incoming.removeListener('data', record.renegotiationHandler);
+          // Remove our safe data handler
+          record.incoming.removeAllListeners('data');
+          
+          // Reset the handler references
           record.renegotiationHandler = undefined;
         } catch (err) {
-          console.log(`[${record.id}] Error removing renegotiation handler: ${err}`);
+          console.log(`[${record.id}] Error removing data handlers: ${err}`);
         }
       }
 
@@ -1602,9 +1534,12 @@ export class PortProxy {
         );
       }
 
-      // Check if this connection should be forwarded directly to NetworkProxy based on port
+      // Check if this connection should be forwarded directly to NetworkProxy
-      const shouldUseNetworkProxy = this.settings.useNetworkProxy && 
+      // First check port-based forwarding settings
-                                    this.settings.useNetworkProxy.includes(localPort);
+      let shouldUseNetworkProxy = this.settings.useNetworkProxy && 
+                                 this.settings.useNetworkProxy.includes(localPort);
+      
+      // We'll look for domain-specific settings after SNI extraction
 
       if (shouldUseNetworkProxy) {
         // For NetworkProxy ports, we want to capture the TLS handshake and forward directly
@@ -1642,12 +1577,118 @@ export class PortProxy {
 
           initialDataReceived = true;
           connectionRecord.hasReceivedInitialData = true;
+          
+          // Block non-TLS connections on port 443
+          // Always enforce TLS on standard HTTPS port
+          if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
+            console.log(
+              `[${connectionId}] Non-TLS connection detected on port 443. ` +
+              `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+            );
+            if (connectionRecord.incomingTerminationReason === null) {
+              connectionRecord.incomingTerminationReason = 'non_tls_blocked';
+              this.incrementTerminationStat('incoming', 'non_tls_blocked');
+            }
+            socket.end();
+            this.cleanupConnection(connectionRecord, 'non_tls_blocked');
+            return;
+          }
 
           // Check if this looks like a TLS handshake
-          if (isTlsHandshake(chunk)) {
+          if (SniHandler.isTlsHandshake(chunk)) {
             connectionRecord.isTLS = true;
             
-            // Forward directly to NetworkProxy without SNI processing
+            // Check for TLS ClientHello with either no SNI or session tickets
+            if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
+              // Extract SNI first
+              const extractedSNI = SniHandler.extractSNI(chunk, this.settings.enableTlsDebugLogging);
+              const hasSNI = !!extractedSNI;
+              
+              // Analyze for session resumption attempt
+              const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
+              
+              // Always log for debugging purposes
+              console.log(
+                `[${connectionId}] TLS ClientHello detected with allowSessionTicket=false. ` +
+                `Has SNI: ${hasSNI ? 'Yes' : 'No'}, ` +
+                `SNI value: ${extractedSNI || 'None'}, ` +
+                `Has session resumption: ${resumptionInfo.isResumption ? 'Yes' : 'No'}`
+              );
+              
+              // Block if this is a connection with session resumption but no SNI
+              if (resumptionInfo.isResumption && !hasSNI) {
+                console.log(
+                  `[${connectionId}] Session resumption detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
+                  `Terminating connection to force new TLS handshake.`
+                );
+                if (connectionRecord.incomingTerminationReason === null) {
+                  connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
+                  this.incrementTerminationStat('incoming', 'session_ticket_blocked');
+                }
+                socket.end();
+                this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
+                return;
+              }
+              
+              // Also block if this is a TLS connection without SNI when allowSessionTicket is false
+              // This forces clients to send SNI which helps with routing
+              if (!hasSNI && localPort === 443) {
+                console.log(
+                  `[${connectionId}] TLS ClientHello detected on port 443 without SNI and allowSessionTicket=false. ` +
+                  `Terminating connection to force proper SNI in handshake.`
+                );
+                if (connectionRecord.incomingTerminationReason === null) {
+                  connectionRecord.incomingTerminationReason = 'no_sni_blocked';
+                  this.incrementTerminationStat('incoming', 'no_sni_blocked');
+                }
+                socket.end();
+                this.cleanupConnection(connectionRecord, 'no_sni_blocked');
+                return;
+              }
+            }
+            
+            // Try to extract SNI for domain-specific NetworkProxy handling
+            const connInfo = {
+              sourceIp: remoteIP,
+              sourcePort: socket.remotePort || 0,
+              destIp: socket.localAddress || '',
+              destPort: socket.localPort || 0
+            };
+            
+            // Extract SNI to check for domain-specific NetworkProxy settings
+            const serverName = SniHandler.processTlsPacket(
+              chunk, 
+              connInfo,
+              this.settings.enableTlsDebugLogging
+            );
+            
+            if (serverName) {
+              // If we got an SNI, check for domain-specific NetworkProxy settings
+              const domainConfig = this.settings.domainConfigs.find((config) =>
+                config.domains.some((d) => plugins.minimatch(serverName, d))
+              );
+              
+              // Save domain config and SNI in connection record
+              connectionRecord.domainConfig = domainConfig;
+              connectionRecord.lockedDomain = serverName;
+              
+              // Use domain-specific NetworkProxy port if configured
+              if (domainConfig?.useNetworkProxy) {
+                const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
+                
+                if (this.settings.enableDetailedLogging) {
+                  console.log(
+                    `[${connectionId}] Using domain-specific NetworkProxy for ${serverName} on port ${networkProxyPort}`
+                  );
+                }
+                
+                // Forward to NetworkProxy with domain-specific port
+                this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk, networkProxyPort);
+                return;
+              }
+            }
+            
+            // Forward directly to NetworkProxy without domain-specific settings
             this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk);
           } else {
             // If not TLS, use normal direct connection
@@ -1706,7 +1747,7 @@ export class PortProxy {
           this.updateActivity(connectionRecord);
 
           // Check for TLS handshake if this is the first chunk
-          if (!connectionRecord.isTLS && isTlsHandshake(chunk)) {
+          if (!connectionRecord.isTLS && SniHandler.isTlsHandshake(chunk)) {
             connectionRecord.isTLS = true;
 
             if (this.settings.enableTlsDebugLogging) {
@@ -1714,7 +1755,15 @@ export class PortProxy {
                 `[${connectionId}] TLS handshake detected from ${remoteIP}, ${chunk.length} bytes`
               );
               // Try to extract SNI and log detailed debug info
-              extractSNI(chunk, true);
+              // Create connection info for debug logging
+              const debugConnInfo = {
+                sourceIp: remoteIP,
+                sourcePort: socket.remotePort || 0,
+                destIp: socket.localAddress || '',
+                destPort: socket.localPort || 0
+              };
+              
+              SniHandler.extractSNIWithResumptionSupport(chunk, debugConnInfo, true);
             }
           }
         });
@@ -1743,7 +1792,7 @@ export class PortProxy {
           connectionRecord.hasReceivedInitialData = true;
 
           // Check if this looks like a TLS handshake
-          const isTlsHandshakeDetected = initialChunk && isTlsHandshake(initialChunk);
+          const isTlsHandshakeDetected = initialChunk && SniHandler.isTlsHandshake(initialChunk);
           if (isTlsHandshakeDetected) {
             connectionRecord.isTLS = true;
 
@@ -1765,6 +1814,29 @@ export class PortProxy {
 
           // Save domain config in connection record
           connectionRecord.domainConfig = domainConfig;
+          
+          // Check if this domain should use NetworkProxy (domain-specific setting)
+          if (domainConfig?.useNetworkProxy && this.networkProxy) {
+            if (this.settings.enableDetailedLogging) {
+              console.log(
+                `[${connectionId}] Domain ${serverName} is configured to use NetworkProxy`
+              );
+            }
+            
+            const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
+            
+            if (initialChunk && connectionRecord.isTLS) {
+              // For TLS connections with initial chunk, forward to NetworkProxy
+              this.forwardToNetworkProxy(
+                connectionId, 
+                socket, 
+                connectionRecord, 
+                initialChunk,
+                networkProxyPort // Pass the domain-specific NetworkProxy port if configured
+              );
+              return; // Skip normal connection setup
+            }
+          }
 
           // IP validation is skipped if allowedIPs is empty
           if (domainConfig) {
@@ -1908,11 +1980,27 @@ export class PortProxy {
             }
 
             initialDataReceived = true;
+            
+            // Block non-TLS connections on port 443
+            // Always enforce TLS on standard HTTPS port
+            if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
+              console.log(
+                `[${connectionId}] Non-TLS connection detected on port 443 in SNI handler. ` +
+                `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+              );
+              if (connectionRecord.incomingTerminationReason === null) {
+                connectionRecord.incomingTerminationReason = 'non_tls_blocked';
+                this.incrementTerminationStat('incoming', 'non_tls_blocked');
+              }
+              socket.end();
+              this.cleanupConnection(connectionRecord, 'non_tls_blocked');
+              return;
+            }
 
             // Try to extract SNI
             let serverName = '';
 
-            if (isTlsHandshake(chunk)) {
+            if (SniHandler.isTlsHandshake(chunk)) {
               connectionRecord.isTLS = true;
 
               if (this.settings.enableTlsDebugLogging) {
@@ -1920,8 +2008,62 @@ export class PortProxy {
                   `[${connectionId}] Extracting SNI from TLS handshake, ${chunk.length} bytes`
                 );
               }
+              
+              // Check for session tickets if allowSessionTicket is disabled
+              if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
+                // Analyze for session resumption attempt
+                const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
+                
+                if (resumptionInfo.isResumption) {
+                  // Always log resumption attempt for easier debugging
+                  // Try to extract SNI for logging
+                  const extractedSNI = SniHandler.extractSNI(chunk, this.settings.enableTlsDebugLogging);
+                  console.log(
+                    `[${connectionId}] Session resumption detected in SNI handler. ` +
+                    `Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
+                    `SNI value: ${extractedSNI || 'None'}, ` +
+                    `allowSessionTicket: ${this.settings.allowSessionTicket}`
+                  );
+                  
+                  // Block if there's session resumption without SNI
+                  if (!resumptionInfo.hasSNI) {
+                    console.log(
+                      `[${connectionId}] Session resumption detected in SNI handler without SNI and allowSessionTicket=false. ` +
+                      `Terminating connection to force new TLS handshake.`
+                    );
+                    if (connectionRecord.incomingTerminationReason === null) {
+                      connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
+                      this.incrementTerminationStat('incoming', 'session_ticket_blocked');
+                    }
+                    socket.end();
+                    this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
+                    return;
+                  } else {
+                    if (this.settings.enableDetailedLogging) {
+                      console.log(
+                        `[${connectionId}] Session resumption with SNI detected in SNI handler. ` +
+                        `Allowing connection since SNI is present.`
+                      );
+                    }
+                  }
+                }
+              }
 
-              serverName = extractSNI(chunk, this.settings.enableTlsDebugLogging) || '';
+              // Create connection info object for SNI extraction
+              const connInfo = {
+                sourceIp: remoteIP,
+                sourcePort: socket.remotePort || 0,
+                destIp: socket.localAddress || '',
+                destPort: socket.localPort || 0
+              };
+              
+              // Use the new processTlsPacket method for comprehensive handling
+              serverName = SniHandler.processTlsPacket(
+                chunk, 
+                connInfo,
+                this.settings.enableTlsDebugLogging,
+                connectionRecord.lockedDomain // Pass any previously negotiated domain as a hint
+              ) || '';
             }
 
             // Lock the connection to the negotiated SNI.

ts/index.ts

@@ -3,3 +3,4 @@ export * from './classes.networkproxy.js';
 export * from './classes.portproxy.js';
 export * from './classes.port80handler.js';
 export * from './classes.sslredirect.js';
+export * from './classes.snihandler.js';