3.41.2

changelog.md

@@ -1,5 +1,26 @@
 # Changelog
 
+## 2025-03-11 - 3.41.2 - fix(SniHandler)
+Refactor hasSessionResumption to return detailed session resumption info
+
+- Changed the return type of hasSessionResumption from boolean to an object with properties isResumption and hasSNI
+- Updated early return conditions to return { isResumption: false, hasSNI: false } when buffer is too short or invalid
+- Modified corresponding documentation to reflect the new return type
+
+## 2025-03-11 - 3.41.1 - fix(SniHandler)
+Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.
+
+- Changed SniHandler.hasSessionResumption to return an object with 'isResumption' and 'hasSNI' flags.
+- Adjusted PortProxy logic to only terminate connections when a session ticket is detected without an accompanying SNI (when allowSessionTicket is false).
+- Enhanced debug logging to clearly differentiate between session resumption scenarios with and without SNI.
+
+## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS)
+Add allowSessionTicket option to control TLS session ticket handling
+
+- Introduce 'allowSessionTicket' flag (default true) in PortProxy settings to enable or disable TLS session resumption via session tickets.
+- Update SniHandler with a new hasSessionResumption method to detect session ticket and PSK extensions in ClientHello messages.
+- Force connection cleanup during renegotiation and initial handshake when allowSessionTicket is set to false and a session ticket is detected.
+
 ## 2025-03-11 - 3.40.0 - feat(SniHandler)
 Add session cache support and tab reactivation detection to improve SNI extraction in TLS handshakes
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.40.0",
+  "version": "3.41.2",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.40.0',
+  version: '3.41.2',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }

ts/classes.portproxy.ts

@@ -51,6 +51,7 @@ export interface IPortProxySettings extends plugins.tls.TlsOptions {
   enableDetailedLogging?: boolean; // Enable detailed connection logging
   enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
   enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
+  allowSessionTicket?: boolean; // Allow TLS session ticket for reconnection (default: true)
 
   // Rate limiting and security
   maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
@@ -236,6 +237,8 @@ export class PortProxy {
       enableDetailedLogging: settingsArg.enableDetailedLogging || false,
       enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
       enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
+      allowSessionTicket: settingsArg.allowSessionTicket !== undefined 
+                         ? settingsArg.allowSessionTicket : true,
 
       // Rate limiting defaults
       maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
@@ -935,6 +938,29 @@ export class PortProxy {
                 destPort: record.incoming.localPort || 0
               };
               
+              // Check for session tickets if allowSessionTicket is disabled
+              if (this.settings.allowSessionTicket === false) {
+                // Analyze for session resumption attempt (session ticket or PSK)
+                const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
+                
+                // Only block if there's a session ticket without SNI
+                if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
+                  console.log(
+                    `[${connectionId}] Session ticket detected in renegotiation without SNI and allowSessionTicket=false. ` +
+                    `Terminating connection to force new TLS handshake.`
+                  );
+                  this.initiateCleanupOnce(record, 'session_ticket_blocked');
+                  return;
+                } else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
+                  if (this.settings.enableTlsDebugLogging) {
+                    console.log(
+                      `[${connectionId}] Session ticket with SNI detected in renegotiation. ` +
+                      `Allowing connection since SNI is present.`
+                    );
+                  }
+                }
+              }
+              
               const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, connInfo, this.settings.enableTlsDebugLogging);
 
               // Skip if no SNI was found
@@ -970,6 +996,9 @@ export class PortProxy {
         
         if (this.settings.enableDetailedLogging) {
           console.log(`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`);
+          if (this.settings.allowSessionTicket === false) {
+            console.log(`[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`);
+          }
         }
       }
 
@@ -1541,6 +1570,34 @@ export class PortProxy {
           if (SniHandler.isTlsHandshake(chunk)) {
             connectionRecord.isTLS = true;
             
+            // Check for session tickets if allowSessionTicket is disabled
+            if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
+              // Analyze for session resumption attempt
+              const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
+              
+              // Only block if there's a session ticket without SNI
+              if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
+                console.log(
+                  `[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
+                  `Terminating connection to force new TLS handshake.`
+                );
+                if (connectionRecord.incomingTerminationReason === null) {
+                  connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
+                  this.incrementTerminationStat('incoming', 'session_ticket_blocked');
+                }
+                socket.end();
+                this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
+                return;
+              } else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
+                if (this.settings.enableTlsDebugLogging) {
+                  console.log(
+                    `[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
+                    `Allowing connection since SNI is present.`
+                  );
+                }
+              }
+            }
+            
             // Try to extract SNI for domain-specific NetworkProxy handling
             const connInfo = {
               sourceIp: remoteIP,
@@ -1887,6 +1944,34 @@ export class PortProxy {
                 );
               }
               
+              // Check for session tickets if allowSessionTicket is disabled
+              if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
+                // Analyze for session resumption attempt
+                const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
+                
+                // Only block if there's a session ticket without SNI
+                if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
+                  console.log(
+                    `[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
+                    `Terminating connection to force new TLS handshake.`
+                  );
+                  if (connectionRecord.incomingTerminationReason === null) {
+                    connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
+                    this.incrementTerminationStat('incoming', 'session_ticket_blocked');
+                  }
+                  socket.end();
+                  this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
+                  return;
+                } else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
+                  if (this.settings.enableTlsDebugLogging) {
+                    console.log(
+                      `[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
+                      `Allowing connection since SNI is present.`
+                    );
+                  }
+                }
+              }
+
               // Create connection info object for SNI extraction
               const connInfo = {
                 sourceIp: remoteIP,

ts/classes.snihandler.ts

@@ -279,6 +279,175 @@ export class SniHandler {
     return buffer[5] === this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE;
   }
 
+  /**
+   * Checks if a ClientHello message contains session resumption indicators
+   * such as session tickets or PSK (Pre-Shared Key) extensions.
+   * 
+   * @param buffer - The buffer containing a ClientHello message
+   * @param enableLogging - Whether to enable logging
+   * @returns Object containing details about session resumption and SNI presence
+   */
+  public static hasSessionResumption(
+    buffer: Buffer,
+    enableLogging: boolean = false
+  ): { isResumption: boolean; hasSNI: boolean } {
+    const log = (message: string) => {
+      if (enableLogging) {
+        console.log(`[Session Resumption] ${message}`);
+      }
+    };
+    
+    if (!this.isClientHello(buffer)) {
+      return { isResumption: false, hasSNI: false };
+    }
+    
+    try {
+      // Check for session ID presence first
+      let pos = 5 + 1 + 3 + 2; // Position after handshake type, length and client version
+      pos += 32; // Skip client random
+      
+      if (pos + 1 > buffer.length) return { isResumption: false, hasSNI: false };
+      
+      const sessionIdLength = buffer[pos];
+      let hasNonEmptySessionId = sessionIdLength > 0;
+      
+      if (hasNonEmptySessionId) {
+        log(`Detected non-empty session ID (length: ${sessionIdLength})`);
+      }
+      
+      // Continue to check for extensions
+      pos += 1 + sessionIdLength;
+      
+      // Skip cipher suites
+      if (pos + 2 > buffer.length) return { isResumption: false, hasSNI: false };
+      const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
+      pos += 2 + cipherSuitesLength;
+      
+      // Skip compression methods
+      if (pos + 1 > buffer.length) return { isResumption: false, hasSNI: false };
+      const compressionMethodsLength = buffer[pos];
+      pos += 1 + compressionMethodsLength;
+      
+      // Check for extensions
+      if (pos + 2 > buffer.length) return { isResumption: false, hasSNI: false };
+      
+      // Look for session resumption extensions
+      const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
+      pos += 2;
+      
+      // Extensions end position
+      const extensionsEnd = pos + extensionsLength;
+      if (extensionsEnd > buffer.length) return { isResumption: false, hasSNI: false };
+      
+      // Track resumption indicators
+      let hasSessionTicket = false;
+      let hasPSK = false;
+      let hasEarlyData = false;
+      
+      // Iterate through extensions
+      while (pos + 4 <= extensionsEnd) {
+        const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
+        pos += 2;
+        
+        const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
+        pos += 2;
+        
+        if (extensionType === this.TLS_SESSION_TICKET_EXTENSION_TYPE) {
+          log('Found session ticket extension');
+          hasSessionTicket = true;
+          
+          // Check if session ticket has non-zero length (active ticket)
+          if (extensionLength > 0) {
+            log(`Session ticket has length ${extensionLength} - active ticket present`);
+          }
+        } else if (extensionType === this.TLS_PSK_EXTENSION_TYPE) {
+          log('Found PSK extension (TLS 1.3 resumption mechanism)');
+          hasPSK = true;
+        } else if (extensionType === this.TLS_EARLY_DATA_EXTENSION_TYPE) {
+          log('Found Early Data extension (TLS 1.3 0-RTT)');
+          hasEarlyData = true;
+        }
+        
+        // Skip extension data
+        pos += extensionLength;
+      }
+      
+      // Check if SNI is included
+      let hasSNI = false;
+      
+      // Reset position and scan again for SNI extension
+      pos = 5 + 1 + 3 + 2; // Reset to after handshake type, length and client version
+      pos += 32; // Skip client random
+      
+      if (pos + 1 <= buffer.length) {
+        const sessionIdLength = buffer[pos];
+        pos += 1 + sessionIdLength;
+        
+        // Skip cipher suites
+        if (pos + 2 <= buffer.length) {
+          const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
+          pos += 2 + cipherSuitesLength;
+          
+          // Skip compression methods
+          if (pos + 1 <= buffer.length) {
+            const compressionMethodsLength = buffer[pos];
+            pos += 1 + compressionMethodsLength;
+            
+            // Check for extensions
+            if (pos + 2 <= buffer.length) {
+              const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
+              pos += 2;
+              
+              // Extensions end position
+              const extensionsEnd = pos + extensionsLength;
+              if (extensionsEnd <= buffer.length) {
+                // Scan for SNI extension
+                while (pos + 4 <= extensionsEnd) {
+                  const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
+                  pos += 2;
+                  
+                  const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
+                  pos += 2;
+                  
+                  if (extensionType === this.TLS_SNI_EXTENSION_TYPE) {
+                    hasSNI = true;
+                    log('Found SNI extension');
+                    break;
+                  }
+                  
+                  // Skip extension data
+                  pos += extensionLength;
+                }
+              }
+            }
+          }
+        }
+      }
+      
+      // Consider it a resumption if any resumption mechanism is present
+      const isResumption = hasSessionTicket || hasPSK || hasEarlyData || 
+                         (hasNonEmptySessionId && !hasPSK); // Legacy resumption
+      
+      if (isResumption) {
+        log('Session resumption detected: ' + 
+            (hasSessionTicket ? 'session ticket, ' : '') +
+            (hasPSK ? 'PSK, ' : '') +
+            (hasEarlyData ? 'early data, ' : '') +
+            (hasNonEmptySessionId ? 'session ID' : '') +
+            (hasSNI ? ', with SNI' : ', without SNI'));
+      }
+      
+      // Return an object with both flags
+      return { 
+        isResumption, 
+        hasSNI 
+      };
+    } catch (error) {
+      log(`Error checking for session resumption: ${error}`);
+      return { isResumption: false, hasSNI: false };
+    }
+  }
+  
   /**
    * Detects characteristics of a tab reactivation TLS handshake
    * These often have specific patterns in Chrome and other browsers