Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 156abbf5b4 | |||
| 1a90566622 | |||
| b48b90d613 | |||
| 124f8d48b7 | |||
| b2a57ada5d | |||
| 62a3e1f4b7 |
21
changelog.md
21
changelog.md
@ -1,5 +1,26 @@
|
||||
# Changelog
|
||||
|
||||
## 2025-03-12 - 3.41.3 - fix(TLS/SNI)
|
||||
Improve TLS session resumption handling and logging. Now, session resumption attempts are always logged with details, and connections without a proper SNI are rejected when allowSessionTicket is disabled. In addition, empty SNI extensions are explicitly treated as missing, ensuring stricter and more consistent TLS handshake validation.
|
||||
|
||||
- Always log session resumption in both renegotiation and initial ClientHello processing.
|
||||
- Terminate connections that attempt session resumption without SNI when allowSessionTicket is false.
|
||||
- Treat empty SNI extensions as absence of SNI to improve consistency in TLS handshake processing.
|
||||
|
||||
## 2025-03-11 - 3.41.2 - fix(SniHandler)
|
||||
Refactor hasSessionResumption to return detailed session resumption info
|
||||
|
||||
- Changed the return type of hasSessionResumption from boolean to an object with properties isResumption and hasSNI
|
||||
- Updated early return conditions to return { isResumption: false, hasSNI: false } when buffer is too short or invalid
|
||||
- Modified corresponding documentation to reflect the new return type
|
||||
|
||||
## 2025-03-11 - 3.41.1 - fix(SniHandler)
|
||||
Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.
|
||||
|
||||
- Changed SniHandler.hasSessionResumption to return an object with 'isResumption' and 'hasSNI' flags.
|
||||
- Adjusted PortProxy logic to only terminate connections when a session ticket is detected without an accompanying SNI (when allowSessionTicket is false).
|
||||
- Enhanced debug logging to clearly differentiate between session resumption scenarios with and without SNI.
|
||||
|
||||
## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS)
|
||||
Add allowSessionTicket option to control TLS session ticket handling
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@push.rocks/smartproxy",
|
||||
"version": "3.41.0",
|
||||
"version": "3.41.3",
|
||||
"private": false,
|
||||
"description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
|
||||
"main": "dist_ts/index.js",
|
||||
|
||||
@ -3,6 +3,6 @@
|
||||
*/
|
||||
export const commitinfo = {
|
||||
name: '@push.rocks/smartproxy',
|
||||
version: '3.41.0',
|
||||
version: '3.41.3',
|
||||
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
|
||||
}
|
||||
|
||||
@ -941,15 +941,31 @@ export class PortProxy {
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false) {
|
||||
// Analyze for session resumption attempt (session ticket or PSK)
|
||||
const hasSessionTicket = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
if (hasSessionTicket) {
|
||||
if (resumptionInfo.isResumption) {
|
||||
// Always log resumption attempt for easier debugging
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in renegotiation with allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
`[${connectionId}] Session resumption detected in renegotiation. ` +
|
||||
`Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, allowSessionTicket: ${this.settings.allowSessionTicket}`
|
||||
);
|
||||
this.initiateCleanupOnce(record, 'session_ticket_blocked');
|
||||
return;
|
||||
|
||||
// Block if there's session resumption without SNI
|
||||
if (!resumptionInfo.hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in renegotiation without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
this.initiateCleanupOnce(record, 'session_ticket_blocked');
|
||||
return;
|
||||
} else {
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption with SNI detected in renegotiation. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1565,20 +1581,36 @@ export class PortProxy {
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||
// Analyze for session resumption attempt
|
||||
const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
if (hasSessionTicket) {
|
||||
if (resumptionInfo.isResumption) {
|
||||
// Always log resumption attempt for easier debugging
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
`[${connectionId}] Session resumption detected in initial ClientHello. ` +
|
||||
`Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, allowSessionTicket: ${this.settings.allowSessionTicket}`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
||||
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
||||
|
||||
// Block if there's session resumption without SNI
|
||||
if (!resumptionInfo.hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
||||
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
} else {
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption with SNI detected in initial ClientHello. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1931,20 +1963,36 @@ export class PortProxy {
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||
// Analyze for session resumption attempt
|
||||
const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
if (hasSessionTicket) {
|
||||
if (resumptionInfo.isResumption) {
|
||||
// Always log resumption attempt for easier debugging
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
`[${connectionId}] Session resumption detected in SNI handler. ` +
|
||||
`Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, allowSessionTicket: ${this.settings.allowSessionTicket}`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
||||
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
||||
|
||||
// Block if there's session resumption without SNI
|
||||
if (!resumptionInfo.hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in SNI handler without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
||||
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
} else {
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption with SNI detected in SNI handler. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -285,12 +285,12 @@ export class SniHandler {
|
||||
*
|
||||
* @param buffer - The buffer containing a ClientHello message
|
||||
* @param enableLogging - Whether to enable logging
|
||||
* @returns true if the ClientHello contains session resumption mechanisms
|
||||
* @returns Object containing details about session resumption and SNI presence
|
||||
*/
|
||||
public static hasSessionResumption(
|
||||
buffer: Buffer,
|
||||
enableLogging: boolean = false
|
||||
): boolean {
|
||||
): { isResumption: boolean; hasSNI: boolean } {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[Session Resumption] ${message}`);
|
||||
@ -298,7 +298,7 @@ export class SniHandler {
|
||||
};
|
||||
|
||||
if (!this.isClientHello(buffer)) {
|
||||
return false;
|
||||
return { isResumption: false, hasSNI: false };
|
||||
}
|
||||
|
||||
try {
|
||||
@ -306,7 +306,7 @@ export class SniHandler {
|
||||
let pos = 5 + 1 + 3 + 2; // Position after handshake type, length and client version
|
||||
pos += 32; // Skip client random
|
||||
|
||||
if (pos + 1 > buffer.length) return false;
|
||||
if (pos + 1 > buffer.length) return { isResumption: false, hasSNI: false };
|
||||
|
||||
const sessionIdLength = buffer[pos];
|
||||
let hasNonEmptySessionId = sessionIdLength > 0;
|
||||
@ -319,17 +319,17 @@ export class SniHandler {
|
||||
pos += 1 + sessionIdLength;
|
||||
|
||||
// Skip cipher suites
|
||||
if (pos + 2 > buffer.length) return false;
|
||||
if (pos + 2 > buffer.length) return { isResumption: false, hasSNI: false };
|
||||
const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2 + cipherSuitesLength;
|
||||
|
||||
// Skip compression methods
|
||||
if (pos + 1 > buffer.length) return false;
|
||||
if (pos + 1 > buffer.length) return { isResumption: false, hasSNI: false };
|
||||
const compressionMethodsLength = buffer[pos];
|
||||
pos += 1 + compressionMethodsLength;
|
||||
|
||||
// Check for extensions
|
||||
if (pos + 2 > buffer.length) return false;
|
||||
if (pos + 2 > buffer.length) return { isResumption: false, hasSNI: false };
|
||||
|
||||
// Look for session resumption extensions
|
||||
const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
@ -337,7 +337,7 @@ export class SniHandler {
|
||||
|
||||
// Extensions end position
|
||||
const extensionsEnd = pos + extensionsLength;
|
||||
if (extensionsEnd > buffer.length) return false;
|
||||
if (extensionsEnd > buffer.length) return { isResumption: false, hasSNI: false };
|
||||
|
||||
// Track resumption indicators
|
||||
let hasSessionTicket = false;
|
||||
@ -372,6 +372,63 @@ export class SniHandler {
|
||||
pos += extensionLength;
|
||||
}
|
||||
|
||||
// Check if SNI is included
|
||||
let hasSNI = false;
|
||||
|
||||
// Reset position and scan again for SNI extension
|
||||
pos = 5 + 1 + 3 + 2; // Reset to after handshake type, length and client version
|
||||
pos += 32; // Skip client random
|
||||
|
||||
if (pos + 1 <= buffer.length) {
|
||||
const sessionIdLength = buffer[pos];
|
||||
pos += 1 + sessionIdLength;
|
||||
|
||||
// Skip cipher suites
|
||||
if (pos + 2 <= buffer.length) {
|
||||
const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2 + cipherSuitesLength;
|
||||
|
||||
// Skip compression methods
|
||||
if (pos + 1 <= buffer.length) {
|
||||
const compressionMethodsLength = buffer[pos];
|
||||
pos += 1 + compressionMethodsLength;
|
||||
|
||||
// Check for extensions
|
||||
if (pos + 2 <= buffer.length) {
|
||||
const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
// Extensions end position
|
||||
const extensionsEnd = pos + extensionsLength;
|
||||
if (extensionsEnd <= buffer.length) {
|
||||
// Scan for SNI extension
|
||||
while (pos + 4 <= extensionsEnd) {
|
||||
const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
if (extensionType === this.TLS_SNI_EXTENSION_TYPE) {
|
||||
// Check that the SNI extension actually has content
|
||||
if (extensionLength > 0) {
|
||||
hasSNI = true;
|
||||
log('Found SNI extension with length: ' + extensionLength);
|
||||
} else {
|
||||
log('Found empty SNI extension, treating as no SNI');
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
// Skip extension data
|
||||
pos += extensionLength;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Consider it a resumption if any resumption mechanism is present
|
||||
const isResumption = hasSessionTicket || hasPSK || hasEarlyData ||
|
||||
(hasNonEmptySessionId && !hasPSK); // Legacy resumption
|
||||
@ -381,13 +438,27 @@ export class SniHandler {
|
||||
(hasSessionTicket ? 'session ticket, ' : '') +
|
||||
(hasPSK ? 'PSK, ' : '') +
|
||||
(hasEarlyData ? 'early data, ' : '') +
|
||||
(hasNonEmptySessionId ? 'session ID' : ''));
|
||||
(hasNonEmptySessionId ? 'session ID' : '') +
|
||||
(hasSNI ? ', with SNI' : ', without SNI'));
|
||||
}
|
||||
|
||||
return isResumption;
|
||||
// Return an object with both flags
|
||||
// For clarity: connections should be blocked if they have session resumption without SNI
|
||||
if (isResumption) {
|
||||
log(`Resumption summary - hasSNI: ${hasSNI ? 'yes' : 'no'}, resumption type: ${
|
||||
hasSessionTicket ? 'session ticket, ' : ''
|
||||
}${hasPSK ? 'PSK, ' : ''}${hasEarlyData ? 'early data, ' : ''}${
|
||||
hasNonEmptySessionId ? 'session ID' : ''
|
||||
}`);
|
||||
}
|
||||
|
||||
return {
|
||||
isResumption,
|
||||
hasSNI
|
||||
};
|
||||
} catch (error) {
|
||||
log(`Error checking for session resumption: ${error}`);
|
||||
return false;
|
||||
return { isResumption: false, hasSNI: false };
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user