Compare commits
12 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 21801aa53d | |||
| ddfbcdb1f3 | |||
| b401d126bc | |||
| baaee0ad4d | |||
| fe7c4c2f5e | |||
| ab1ec84832 | |||
| 156abbf5b4 | |||
| 1a90566622 | |||
| b48b90d613 | |||
| 124f8d48b7 | |||
| b2a57ada5d | |||
| 62a3e1f4b7 |
43
changelog.md
43
changelog.md
@ -1,5 +1,48 @@
|
||||
# Changelog
|
||||
|
||||
## 2025-03-12 - 3.41.6 - fix(SniHandler)
|
||||
Refactor SniHandler: update whitespace, comment formatting, and consistent type definitions
|
||||
|
||||
- Unified inline comment style and spacing in SniHandler
|
||||
- Refactored session cache type declaration for clarity
|
||||
- Adjusted buffer length calculations to include TLS record header consistently
|
||||
- Minor improvements to logging messages during ClientHello reassembly and SNI extraction
|
||||
|
||||
## 2025-03-12 - 3.41.5 - fix(portproxy)
|
||||
Enforce TLS handshake and SNI validation on port 443 by blocking non-TLS connections and terminating session resumption attempts without SNI when allowSessionTicket is disabled.
|
||||
|
||||
- Added explicit check to block non-TLS connections on port 443 to ensure proper TLS usage.
|
||||
- Enhanced logging for TLS ClientHello to include details on SNI extraction and session resumption status.
|
||||
- Terminate connections with missing SNI by setting termination reasons ('session_ticket_blocked' or 'no_sni_blocked').
|
||||
- Ensured consistent rejection of non-TLS handshakes on standard HTTPS port.
|
||||
|
||||
## 2025-03-12 - 3.41.4 - fix(tls/sni)
|
||||
Improve logging for TLS session resumption by extracting and logging SNI values from ClientHello messages.
|
||||
|
||||
- Added logging to output the extracted SNI value during renegotiation, initial ClientHello and in the SNI handler.
|
||||
- Enhanced error handling during SNI extraction to aid troubleshooting of TLS session resumption issues.
|
||||
|
||||
## 2025-03-12 - 3.41.3 - fix(TLS/SNI)
|
||||
Improve TLS session resumption handling and logging. Now, session resumption attempts are always logged with details, and connections without a proper SNI are rejected when allowSessionTicket is disabled. In addition, empty SNI extensions are explicitly treated as missing, ensuring stricter and more consistent TLS handshake validation.
|
||||
|
||||
- Always log session resumption in both renegotiation and initial ClientHello processing.
|
||||
- Terminate connections that attempt session resumption without SNI when allowSessionTicket is false.
|
||||
- Treat empty SNI extensions as absence of SNI to improve consistency in TLS handshake processing.
|
||||
|
||||
## 2025-03-11 - 3.41.2 - fix(SniHandler)
|
||||
Refactor hasSessionResumption to return detailed session resumption info
|
||||
|
||||
- Changed the return type of hasSessionResumption from boolean to an object with properties isResumption and hasSNI
|
||||
- Updated early return conditions to return { isResumption: false, hasSNI: false } when buffer is too short or invalid
|
||||
- Modified corresponding documentation to reflect the new return type
|
||||
|
||||
## 2025-03-11 - 3.41.1 - fix(SniHandler)
|
||||
Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.
|
||||
|
||||
- Changed SniHandler.hasSessionResumption to return an object with 'isResumption' and 'hasSNI' flags.
|
||||
- Adjusted PortProxy logic to only terminate connections when a session ticket is detected without an accompanying SNI (when allowSessionTicket is false).
|
||||
- Enhanced debug logging to clearly differentiate between session resumption scenarios with and without SNI.
|
||||
|
||||
## 2025-03-11 - 3.41.0 - feat(PortProxy/TLS)
|
||||
Add allowSessionTicket option to control TLS session ticket handling
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@push.rocks/smartproxy",
|
||||
"version": "3.41.0",
|
||||
"version": "3.41.6",
|
||||
"private": false,
|
||||
"description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
|
||||
"main": "dist_ts/index.js",
|
||||
|
||||
@ -3,6 +3,6 @@
|
||||
*/
|
||||
export const commitinfo = {
|
||||
name: '@push.rocks/smartproxy',
|
||||
version: '3.41.0',
|
||||
version: '3.41.6',
|
||||
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
|
||||
}
|
||||
|
||||
@ -941,15 +941,35 @@ export class PortProxy {
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false) {
|
||||
// Analyze for session resumption attempt (session ticket or PSK)
|
||||
const hasSessionTicket = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
if (hasSessionTicket) {
|
||||
if (resumptionInfo.isResumption) {
|
||||
// Always log resumption attempt for easier debugging
|
||||
// Try to extract SNI for logging
|
||||
const extractedSNI = SniHandler.extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in renegotiation with allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
`[${connectionId}] Session resumption detected in renegotiation. ` +
|
||||
`Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
|
||||
`SNI value: ${extractedSNI || 'None'}, ` +
|
||||
`allowSessionTicket: ${this.settings.allowSessionTicket}`
|
||||
);
|
||||
this.initiateCleanupOnce(record, 'session_ticket_blocked');
|
||||
return;
|
||||
|
||||
// Block if there's session resumption without SNI
|
||||
if (!resumptionInfo.hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in renegotiation without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
this.initiateCleanupOnce(record, 'session_ticket_blocked');
|
||||
return;
|
||||
} else {
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption with SNI detected in renegotiation. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1557,19 +1577,48 @@ export class PortProxy {
|
||||
|
||||
initialDataReceived = true;
|
||||
connectionRecord.hasReceivedInitialData = true;
|
||||
|
||||
// Block non-TLS connections on port 443
|
||||
// Always enforce TLS on standard HTTPS port
|
||||
if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
|
||||
console.log(
|
||||
`[${connectionId}] Non-TLS connection detected on port 443. ` +
|
||||
`Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'non_tls_blocked';
|
||||
this.incrementTerminationStat('incoming', 'non_tls_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'non_tls_blocked');
|
||||
return;
|
||||
}
|
||||
|
||||
// Check if this looks like a TLS handshake
|
||||
if (SniHandler.isTlsHandshake(chunk)) {
|
||||
connectionRecord.isTLS = true;
|
||||
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
// Check for TLS ClientHello with either no SNI or session tickets
|
||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||
// Analyze for session resumption attempt
|
||||
const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
// Extract SNI first
|
||||
const extractedSNI = SniHandler.extractSNI(chunk, this.settings.enableTlsDebugLogging);
|
||||
const hasSNI = !!extractedSNI;
|
||||
|
||||
if (hasSessionTicket) {
|
||||
// Analyze for session resumption attempt
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
// Always log for debugging purposes
|
||||
console.log(
|
||||
`[${connectionId}] TLS ClientHello detected with allowSessionTicket=false. ` +
|
||||
`Has SNI: ${hasSNI ? 'Yes' : 'No'}, ` +
|
||||
`SNI value: ${extractedSNI || 'None'}, ` +
|
||||
`Has session resumption: ${resumptionInfo.isResumption ? 'Yes' : 'No'}`
|
||||
);
|
||||
|
||||
// Block if this is a connection with session resumption but no SNI
|
||||
if (resumptionInfo.isResumption && !hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` +
|
||||
`[${connectionId}] Session resumption detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
@ -1580,6 +1629,22 @@ export class PortProxy {
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
}
|
||||
|
||||
// Also block if this is a TLS connection without SNI when allowSessionTicket is false
|
||||
// This forces clients to send SNI which helps with routing
|
||||
if (!hasSNI && localPort === 443) {
|
||||
console.log(
|
||||
`[${connectionId}] TLS ClientHello detected on port 443 without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force proper SNI in handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'no_sni_blocked';
|
||||
this.incrementTerminationStat('incoming', 'no_sni_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'no_sni_blocked');
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// Try to extract SNI for domain-specific NetworkProxy handling
|
||||
@ -1915,6 +1980,22 @@ export class PortProxy {
|
||||
}
|
||||
|
||||
initialDataReceived = true;
|
||||
|
||||
// Block non-TLS connections on port 443
|
||||
// Always enforce TLS on standard HTTPS port
|
||||
if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
|
||||
console.log(
|
||||
`[${connectionId}] Non-TLS connection detected on port 443 in SNI handler. ` +
|
||||
`Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'non_tls_blocked';
|
||||
this.incrementTerminationStat('incoming', 'non_tls_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'non_tls_blocked');
|
||||
return;
|
||||
}
|
||||
|
||||
// Try to extract SNI
|
||||
let serverName = '';
|
||||
@ -1931,20 +2012,40 @@ export class PortProxy {
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||
// Analyze for session resumption attempt
|
||||
const hasSessionTicket = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
if (hasSessionTicket) {
|
||||
if (resumptionInfo.isResumption) {
|
||||
// Always log resumption attempt for easier debugging
|
||||
// Try to extract SNI for logging
|
||||
const extractedSNI = SniHandler.extractSNI(chunk, this.settings.enableTlsDebugLogging);
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in initial ClientHello with allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
`[${connectionId}] Session resumption detected in SNI handler. ` +
|
||||
`Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
|
||||
`SNI value: ${extractedSNI || 'None'}, ` +
|
||||
`allowSessionTicket: ${this.settings.allowSessionTicket}`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
||||
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
||||
|
||||
// Block if there's session resumption without SNI
|
||||
if (!resumptionInfo.hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in SNI handler without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'session_ticket_blocked';
|
||||
this.incrementTerminationStat('incoming', 'session_ticket_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
} else {
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption with SNI detected in SNI handler. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user