Compare commits
14 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 985031e9ac | |||
| 4c0105ad09 | |||
| 06896b3102 | |||
| 7fe455b4df | |||
| 21801aa53d | |||
| ddfbcdb1f3 | |||
| b401d126bc | |||
| baaee0ad4d | |||
| fe7c4c2f5e | |||
| ab1ec84832 | |||
| 156abbf5b4 | |||
| 1a90566622 | |||
| b48b90d613 | |||
| 124f8d48b7 |
52
changelog.md
52
changelog.md
@ -1,5 +1,57 @@
|
||||
# Changelog
|
||||
|
||||
## 2025-03-12 - 3.41.8 - fix(portproxy)
|
||||
Improve TLS handshake timeout handling and connection piping in PortProxy
|
||||
|
||||
- Increase the default initial handshake timeout from 60 seconds to 120 seconds
|
||||
- Add a 30-second grace period before terminating connections waiting for initial TLS data
|
||||
- Refactor piping logic by removing redundant callback and establishing piping immediately after flushing buffered data
|
||||
- Enhance debug logging during TLS ClientHello processing for improved SNI extraction insights
|
||||
|
||||
## 2025-03-12 - 3.41.7 - fix(core)
|
||||
Refactor PortProxy and SniHandler: improve configuration handling, logging, and whitespace consistency
|
||||
|
||||
- Standardized indentation and spacing for configuration properties in PortProxy settings (e.g. ACME options, keepAliveProbes, allowSessionTicket)
|
||||
- Simplified conditional formatting and improved inline comments in PortProxy
|
||||
- Enhanced logging messages in SniHandler for TLS handshake and session resumption detection
|
||||
- Improved debugging output (e.g. hexdump of initial TLS packet) and consistency of multi-line expressions
|
||||
|
||||
## 2025-03-12 - 3.41.6 - fix(SniHandler)
|
||||
Refactor SniHandler: update whitespace, comment formatting, and consistent type definitions
|
||||
|
||||
- Unified inline comment style and spacing in SniHandler
|
||||
- Refactored session cache type declaration for clarity
|
||||
- Adjusted buffer length calculations to include TLS record header consistently
|
||||
- Minor improvements to logging messages during ClientHello reassembly and SNI extraction
|
||||
|
||||
## 2025-03-12 - 3.41.5 - fix(portproxy)
|
||||
Enforce TLS handshake and SNI validation on port 443 by blocking non-TLS connections and terminating session resumption attempts without SNI when allowSessionTicket is disabled.
|
||||
|
||||
- Added explicit check to block non-TLS connections on port 443 to ensure proper TLS usage.
|
||||
- Enhanced logging for TLS ClientHello to include details on SNI extraction and session resumption status.
|
||||
- Terminate connections with missing SNI by setting termination reasons ('session_ticket_blocked' or 'no_sni_blocked').
|
||||
- Ensured consistent rejection of non-TLS handshakes on standard HTTPS port.
|
||||
|
||||
## 2025-03-12 - 3.41.4 - fix(tls/sni)
|
||||
Improve logging for TLS session resumption by extracting and logging SNI values from ClientHello messages.
|
||||
|
||||
- Added logging to output the extracted SNI value during renegotiation, initial ClientHello and in the SNI handler.
|
||||
- Enhanced error handling during SNI extraction to aid troubleshooting of TLS session resumption issues.
|
||||
|
||||
## 2025-03-12 - 3.41.3 - fix(TLS/SNI)
|
||||
Improve TLS session resumption handling and logging. Now, session resumption attempts are always logged with details, and connections without a proper SNI are rejected when allowSessionTicket is disabled. In addition, empty SNI extensions are explicitly treated as missing, ensuring stricter and more consistent TLS handshake validation.
|
||||
|
||||
- Always log session resumption in both renegotiation and initial ClientHello processing.
|
||||
- Terminate connections that attempt session resumption without SNI when allowSessionTicket is false.
|
||||
- Treat empty SNI extensions as absence of SNI to improve consistency in TLS handshake processing.
|
||||
|
||||
## 2025-03-11 - 3.41.2 - fix(SniHandler)
|
||||
Refactor hasSessionResumption to return detailed session resumption info
|
||||
|
||||
- Changed the return type of hasSessionResumption from boolean to an object with properties isResumption and hasSNI
|
||||
- Updated early return conditions to return { isResumption: false, hasSNI: false } when buffer is too short or invalid
|
||||
- Modified corresponding documentation to reflect the new return type
|
||||
|
||||
## 2025-03-11 - 3.41.1 - fix(SniHandler)
|
||||
Improve TLS SNI session resumption handling: connections containing a session ticket are now only rejected when no SNI is present and allowSessionTicket is disabled. Updated return values and logging for clearer resumption detection.
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@push.rocks/smartproxy",
|
||||
"version": "3.41.1",
|
||||
"version": "3.41.8",
|
||||
"private": false,
|
||||
"description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
|
||||
"main": "dist_ts/index.js",
|
||||
|
||||
@ -3,6 +3,6 @@
|
||||
*/
|
||||
export const commitinfo = {
|
||||
name: '@push.rocks/smartproxy',
|
||||
version: '3.41.1',
|
||||
version: '3.41.8',
|
||||
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
|
||||
}
|
||||
|
||||
@ -216,7 +216,7 @@ export class PortProxy {
|
||||
targetIP: settingsArg.targetIP || 'localhost',
|
||||
|
||||
// Timeout settings with reasonable defaults
|
||||
initialDataTimeout: settingsArg.initialDataTimeout || 60000, // 60 seconds for initial handshake
|
||||
initialDataTimeout: settingsArg.initialDataTimeout || 120000, // 120 seconds for initial handshake
|
||||
socketTimeout: ensureSafeTimeout(settingsArg.socketTimeout || 3600000), // 1 hour socket timeout
|
||||
inactivityCheckInterval: settingsArg.inactivityCheckInterval || 60000, // 60 seconds interval
|
||||
maxConnectionLifetime: ensureSafeTimeout(settingsArg.maxConnectionLifetime || 86400000), // 24 hours default
|
||||
@ -232,13 +232,13 @@ export class PortProxy {
|
||||
|
||||
// Feature flags
|
||||
disableInactivityCheck: settingsArg.disableInactivityCheck || false,
|
||||
enableKeepAliveProbes: settingsArg.enableKeepAliveProbes !== undefined
|
||||
? settingsArg.enableKeepAliveProbes : true,
|
||||
enableKeepAliveProbes:
|
||||
settingsArg.enableKeepAliveProbes !== undefined ? settingsArg.enableKeepAliveProbes : true,
|
||||
enableDetailedLogging: settingsArg.enableDetailedLogging || false,
|
||||
enableTlsDebugLogging: settingsArg.enableTlsDebugLogging || false,
|
||||
enableRandomizedTimeouts: settingsArg.enableRandomizedTimeouts || false,
|
||||
allowSessionTicket: settingsArg.allowSessionTicket !== undefined
|
||||
? settingsArg.allowSessionTicket : true,
|
||||
allowSessionTicket:
|
||||
settingsArg.allowSessionTicket !== undefined ? settingsArg.allowSessionTicket : true,
|
||||
|
||||
// Rate limiting defaults
|
||||
maxConnectionsPerIP: settingsArg.maxConnectionsPerIP || 100,
|
||||
@ -261,8 +261,8 @@ export class PortProxy {
|
||||
renewThresholdDays: 30,
|
||||
autoRenew: true,
|
||||
certificateStore: './certs',
|
||||
skipConfiguredCerts: false
|
||||
}
|
||||
skipConfiguredCerts: false,
|
||||
},
|
||||
};
|
||||
|
||||
// Initialize NetworkProxy if enabled
|
||||
@ -280,7 +280,7 @@ export class PortProxy {
|
||||
const networkProxyOptions: any = {
|
||||
port: this.settings.networkProxyPort!,
|
||||
portProxyIntegration: true,
|
||||
logLevel: this.settings.enableDetailedLogging ? 'debug' : 'info'
|
||||
logLevel: this.settings.enableDetailedLogging ? 'debug' : 'info',
|
||||
};
|
||||
|
||||
// Add ACME settings if configured
|
||||
@ -321,7 +321,7 @@ export class PortProxy {
|
||||
// Update settings
|
||||
this.settings.acme = {
|
||||
...this.settings.acme,
|
||||
...acmeSettings
|
||||
...acmeSettings,
|
||||
};
|
||||
|
||||
// If NetworkProxy is initialized, update its ACME settings
|
||||
@ -379,17 +379,19 @@ export class PortProxy {
|
||||
try {
|
||||
certPair = {
|
||||
key: fs.readFileSync('assets/certs/key.pem', 'utf8'),
|
||||
cert: fs.readFileSync('assets/certs/cert.pem', 'utf8')
|
||||
cert: fs.readFileSync('assets/certs/cert.pem', 'utf8'),
|
||||
};
|
||||
} catch (certError) {
|
||||
console.log(`Warning: Could not read default certificates: ${certError}`);
|
||||
console.log('Using empty certificate placeholders - ACME will generate proper certificates if enabled');
|
||||
console.log(
|
||||
'Using empty certificate placeholders - ACME will generate proper certificates if enabled'
|
||||
);
|
||||
|
||||
// Use empty placeholders - NetworkProxy will use its internal defaults
|
||||
// or ACME will generate proper ones if enabled
|
||||
certPair = {
|
||||
key: '',
|
||||
cert: ''
|
||||
cert: '',
|
||||
};
|
||||
}
|
||||
|
||||
@ -402,8 +404,8 @@ export class PortProxy {
|
||||
// Log ACME-eligible domains if ACME is enabled
|
||||
if (this.settings.acme?.enabled) {
|
||||
const acmeEligibleDomains = proxyConfigs
|
||||
.filter(config => !config.hostName.includes('*')) // Exclude wildcards
|
||||
.map(config => config.hostName);
|
||||
.filter((config) => !config.hostName.includes('*')) // Exclude wildcards
|
||||
.map((config) => config.hostName);
|
||||
|
||||
if (acmeEligibleDomains.length > 0) {
|
||||
console.log(`Domains eligible for ACME certificates: ${acmeEligibleDomains.join(', ')}`);
|
||||
@ -413,9 +415,14 @@ export class PortProxy {
|
||||
}
|
||||
|
||||
// Update NetworkProxy with the converted configs
|
||||
this.networkProxy.updateProxyConfigs(proxyConfigs).then(() => {
|
||||
console.log(`Successfully synchronized ${proxyConfigs.length} domain configurations to NetworkProxy`);
|
||||
}).catch(err => {
|
||||
this.networkProxy
|
||||
.updateProxyConfigs(proxyConfigs)
|
||||
.then(() => {
|
||||
console.log(
|
||||
`Successfully synchronized ${proxyConfigs.length} domain configurations to NetworkProxy`
|
||||
);
|
||||
})
|
||||
.catch((err) => {
|
||||
console.log(`Error synchronizing configurations: ${err.message}`);
|
||||
});
|
||||
} catch (err) {
|
||||
@ -546,9 +553,7 @@ export class PortProxy {
|
||||
proxySocket.on('data', () => this.updateActivity(record));
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] TLS connection successfully forwarded to NetworkProxy`
|
||||
);
|
||||
console.log(`[${connectionId}] TLS connection successfully forwarded to NetworkProxy`);
|
||||
}
|
||||
});
|
||||
}
|
||||
@ -849,16 +854,35 @@ export class PortProxy {
|
||||
// Process any remaining data in the queue before switching to piping
|
||||
processDataQueue();
|
||||
|
||||
// Setup function to establish piping - we'll use this after flushing data
|
||||
const setupPiping = () => {
|
||||
// Mark that we're switching to piping mode
|
||||
// Set up piping immediately - don't delay this crucial step
|
||||
pipingEstablished = true;
|
||||
|
||||
// Setup piping in both directions
|
||||
// Flush all pending data to target
|
||||
if (record.pendingData.length > 0) {
|
||||
const combinedData = Buffer.concat(record.pendingData);
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(`[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`);
|
||||
}
|
||||
|
||||
// Write pending data immediately
|
||||
targetSocket.write(combinedData, (err) => {
|
||||
if (err) {
|
||||
console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
|
||||
return this.initiateCleanupOnce(record, 'write_error');
|
||||
}
|
||||
});
|
||||
|
||||
// Clear the buffer now that we've processed it
|
||||
record.pendingData = [];
|
||||
record.pendingDataSize = 0;
|
||||
}
|
||||
|
||||
// Setup piping in both directions without any delays
|
||||
socket.pipe(targetSocket);
|
||||
targetSocket.pipe(socket);
|
||||
|
||||
// Resume the socket to ensure data flows
|
||||
// Resume the socket to ensure data flows - CRITICAL!
|
||||
socket.resume();
|
||||
|
||||
// Process any data that might be queued in the interim
|
||||
@ -898,28 +922,7 @@ export class PortProxy {
|
||||
}`
|
||||
);
|
||||
}
|
||||
};
|
||||
|
||||
// Flush all pending data to target
|
||||
if (record.pendingData.length > 0) {
|
||||
const combinedData = Buffer.concat(record.pendingData);
|
||||
targetSocket.write(combinedData, (err) => {
|
||||
if (err) {
|
||||
console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
|
||||
return this.initiateCleanupOnce(record, 'write_error');
|
||||
}
|
||||
|
||||
// Establish piping now that we've flushed the buffered data
|
||||
setupPiping();
|
||||
});
|
||||
} else {
|
||||
// No pending data, just establish piping immediately
|
||||
setupPiping();
|
||||
}
|
||||
|
||||
// Clear the buffer now that we've processed it
|
||||
record.pendingData = [];
|
||||
record.pendingDataSize = 0;
|
||||
|
||||
// Add the renegotiation handler for SNI validation with strict domain enforcement
|
||||
// This will be called after we've established piping
|
||||
@ -935,33 +938,55 @@ export class PortProxy {
|
||||
sourceIp: record.remoteIP,
|
||||
sourcePort: record.incoming.remotePort || 0,
|
||||
destIp: record.incoming.localAddress || '',
|
||||
destPort: record.incoming.localPort || 0
|
||||
destPort: record.incoming.localPort || 0,
|
||||
};
|
||||
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false) {
|
||||
// Analyze for session resumption attempt (session ticket or PSK)
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(
|
||||
renegChunk,
|
||||
this.settings.enableTlsDebugLogging
|
||||
);
|
||||
|
||||
// Only block if there's a session ticket without SNI
|
||||
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
|
||||
if (resumptionInfo.isResumption) {
|
||||
// Always log resumption attempt for easier debugging
|
||||
// Try to extract SNI for logging
|
||||
const extractedSNI = SniHandler.extractSNI(
|
||||
renegChunk,
|
||||
this.settings.enableTlsDebugLogging
|
||||
);
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in renegotiation without SNI and allowSessionTicket=false. ` +
|
||||
`[${connectionId}] Session resumption detected in renegotiation. ` +
|
||||
`Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
|
||||
`SNI value: ${extractedSNI || 'None'}, ` +
|
||||
`allowSessionTicket: ${this.settings.allowSessionTicket}`
|
||||
);
|
||||
|
||||
// Block if there's session resumption without SNI
|
||||
if (!resumptionInfo.hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in renegotiation without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
this.initiateCleanupOnce(record, 'session_ticket_blocked');
|
||||
return;
|
||||
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
|
||||
if (this.settings.enableTlsDebugLogging) {
|
||||
} else {
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket with SNI detected in renegotiation. ` +
|
||||
`[${connectionId}] Session resumption with SNI detected in renegotiation. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, connInfo, this.settings.enableTlsDebugLogging);
|
||||
const newSNI = SniHandler.extractSNIWithResumptionSupport(
|
||||
renegChunk,
|
||||
connInfo,
|
||||
this.settings.enableTlsDebugLogging
|
||||
);
|
||||
|
||||
// Skip if no SNI was found
|
||||
if (!newSNI) return;
|
||||
@ -995,9 +1020,13 @@ export class PortProxy {
|
||||
socket.on('data', renegotiationHandler);
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`);
|
||||
console.log(
|
||||
`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`
|
||||
);
|
||||
if (this.settings.allowSessionTicket === false) {
|
||||
console.log(`[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`);
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket usage is disabled. Connection will be reset on reconnection attempts.`
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1390,7 +1419,11 @@ export class PortProxy {
|
||||
}
|
||||
|
||||
// Initialize NetworkProxy if needed (useNetworkProxy is set but networkProxy isn't initialized)
|
||||
if (this.settings.useNetworkProxy && this.settings.useNetworkProxy.length > 0 && !this.networkProxy) {
|
||||
if (
|
||||
this.settings.useNetworkProxy &&
|
||||
this.settings.useNetworkProxy.length > 0 &&
|
||||
!this.networkProxy
|
||||
) {
|
||||
await this.initializeNetworkProxy();
|
||||
}
|
||||
|
||||
@ -1401,7 +1434,11 @@ export class PortProxy {
|
||||
|
||||
// Log ACME status
|
||||
if (this.settings.acme?.enabled) {
|
||||
console.log(`ACME certificate management is enabled (${this.settings.acme.useProduction ? 'Production' : 'Staging'} mode)`);
|
||||
console.log(
|
||||
`ACME certificate management is enabled (${
|
||||
this.settings.acme.useProduction ? 'Production' : 'Staging'
|
||||
} mode)`
|
||||
);
|
||||
console.log(`ACME HTTP challenge server on port ${this.settings.acme.port}`);
|
||||
|
||||
// Register domains for ACME certificates if enabled
|
||||
@ -1524,8 +1561,8 @@ export class PortProxy {
|
||||
|
||||
// Check if this connection should be forwarded directly to NetworkProxy
|
||||
// First check port-based forwarding settings
|
||||
let shouldUseNetworkProxy = this.settings.useNetworkProxy &&
|
||||
this.settings.useNetworkProxy.includes(localPort);
|
||||
let shouldUseNetworkProxy =
|
||||
this.settings.useNetworkProxy && this.settings.useNetworkProxy.includes(localPort);
|
||||
|
||||
// We'll look for domain-specific settings after SNI extraction
|
||||
|
||||
@ -1536,9 +1573,12 @@ export class PortProxy {
|
||||
// Set an initial timeout for handshake data
|
||||
let initialTimeout: NodeJS.Timeout | null = setTimeout(() => {
|
||||
if (!initialDataReceived) {
|
||||
console.log(
|
||||
`[${connectionId}] Initial data timeout (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP} on port ${localPort}`
|
||||
);
|
||||
console.log(`[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP}`);
|
||||
|
||||
// Add a grace period instead of immediate termination
|
||||
setTimeout(() => {
|
||||
if (!initialDataReceived) {
|
||||
console.log(`[${connectionId}] Final initial data timeout after grace period`);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'initial_timeout';
|
||||
this.incrementTerminationStat('incoming', 'initial_timeout');
|
||||
@ -1546,6 +1586,8 @@ export class PortProxy {
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'initial_timeout');
|
||||
}
|
||||
}, 30000); // 30 second grace period
|
||||
}
|
||||
}, this.settings.initialDataTimeout!);
|
||||
|
||||
// Make sure timeout doesn't keep the process alive
|
||||
@ -1566,19 +1608,53 @@ export class PortProxy {
|
||||
initialDataReceived = true;
|
||||
connectionRecord.hasReceivedInitialData = true;
|
||||
|
||||
// Block non-TLS connections on port 443
|
||||
// Always enforce TLS on standard HTTPS port
|
||||
if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
|
||||
console.log(
|
||||
`[${connectionId}] Non-TLS connection detected on port 443. ` +
|
||||
`Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'non_tls_blocked';
|
||||
this.incrementTerminationStat('incoming', 'non_tls_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'non_tls_blocked');
|
||||
return;
|
||||
}
|
||||
|
||||
// Check if this looks like a TLS handshake
|
||||
if (SniHandler.isTlsHandshake(chunk)) {
|
||||
connectionRecord.isTLS = true;
|
||||
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
// Check for TLS ClientHello with either no SNI or session tickets
|
||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||
// Analyze for session resumption attempt
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
// Extract SNI first
|
||||
const extractedSNI = SniHandler.extractSNI(
|
||||
chunk,
|
||||
this.settings.enableTlsDebugLogging
|
||||
);
|
||||
const hasSNI = !!extractedSNI;
|
||||
|
||||
// Only block if there's a session ticket without SNI
|
||||
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
|
||||
// Analyze for session resumption attempt
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(
|
||||
chunk,
|
||||
this.settings.enableTlsDebugLogging
|
||||
);
|
||||
|
||||
// Always log for debugging purposes
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
|
||||
`[${connectionId}] TLS ClientHello detected with allowSessionTicket=false. ` +
|
||||
`Has SNI: ${hasSNI ? 'Yes' : 'No'}, ` +
|
||||
`SNI value: ${extractedSNI || 'None'}, ` +
|
||||
`Has session resumption: ${resumptionInfo.isResumption ? 'Yes' : 'No'}`
|
||||
);
|
||||
|
||||
// Block if this is a connection with session resumption but no SNI
|
||||
if (resumptionInfo.isResumption && !hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
@ -1588,13 +1664,22 @@ export class PortProxy {
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
|
||||
if (this.settings.enableTlsDebugLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
|
||||
// Also block if this is a TLS connection without SNI when allowSessionTicket is false
|
||||
// This forces clients to send SNI which helps with routing
|
||||
if (!hasSNI && localPort === 443) {
|
||||
console.log(
|
||||
`[${connectionId}] TLS ClientHello detected on port 443 without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force proper SNI in handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'no_sni_blocked';
|
||||
this.incrementTerminationStat('incoming', 'no_sni_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'no_sni_blocked');
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1603,7 +1688,7 @@ export class PortProxy {
|
||||
sourceIp: remoteIP,
|
||||
sourcePort: socket.remotePort || 0,
|
||||
destIp: socket.localAddress || '',
|
||||
destPort: socket.localPort || 0
|
||||
destPort: socket.localPort || 0,
|
||||
};
|
||||
|
||||
// Extract SNI to check for domain-specific NetworkProxy settings
|
||||
@ -1625,7 +1710,8 @@ export class PortProxy {
|
||||
|
||||
// Use domain-specific NetworkProxy port if configured
|
||||
if (domainConfig?.useNetworkProxy) {
|
||||
const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
||||
const networkProxyPort =
|
||||
domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
@ -1634,7 +1720,13 @@ export class PortProxy {
|
||||
}
|
||||
|
||||
// Forward to NetworkProxy with domain-specific port
|
||||
this.forwardToNetworkProxy(connectionId, socket, connectionRecord, chunk, networkProxyPort);
|
||||
this.forwardToNetworkProxy(
|
||||
connectionId,
|
||||
socket,
|
||||
connectionRecord,
|
||||
chunk,
|
||||
networkProxyPort
|
||||
);
|
||||
return;
|
||||
}
|
||||
}
|
||||
@ -1644,10 +1736,16 @@ export class PortProxy {
|
||||
} else {
|
||||
// If not TLS, use normal direct connection
|
||||
console.log(`[${connectionId}] Non-TLS connection on NetworkProxy port ${localPort}`);
|
||||
this.setupDirectConnection(connectionId, socket, connectionRecord, undefined, undefined, chunk);
|
||||
this.setupDirectConnection(
|
||||
connectionId,
|
||||
socket,
|
||||
connectionRecord,
|
||||
undefined,
|
||||
undefined,
|
||||
chunk
|
||||
);
|
||||
}
|
||||
});
|
||||
|
||||
} else {
|
||||
// For non-NetworkProxy ports, proceed with normal processing
|
||||
|
||||
@ -1669,9 +1767,12 @@ export class PortProxy {
|
||||
if (this.settings.sniEnabled) {
|
||||
initialTimeout = setTimeout(() => {
|
||||
if (!initialDataReceived) {
|
||||
console.log(
|
||||
`[${connectionId}] Initial data timeout (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP} on port ${localPort}`
|
||||
);
|
||||
console.log(`[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${remoteIP}`);
|
||||
|
||||
// Add a grace period instead of immediate termination
|
||||
setTimeout(() => {
|
||||
if (!initialDataReceived) {
|
||||
console.log(`[${connectionId}] Final initial data timeout after grace period`);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'initial_timeout';
|
||||
this.incrementTerminationStat('incoming', 'initial_timeout');
|
||||
@ -1679,6 +1780,8 @@ export class PortProxy {
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'initial_timeout');
|
||||
}
|
||||
}, 30000); // 30 second grace period
|
||||
}
|
||||
}, this.settings.initialDataTimeout!);
|
||||
|
||||
// Make sure timeout doesn't keep the process alive
|
||||
@ -1711,7 +1814,7 @@ export class PortProxy {
|
||||
sourceIp: remoteIP,
|
||||
sourcePort: socket.remotePort || 0,
|
||||
destIp: socket.localAddress || '',
|
||||
destPort: socket.localPort || 0
|
||||
destPort: socket.localPort || 0,
|
||||
};
|
||||
|
||||
SniHandler.extractSNIWithResumptionSupport(chunk, debugConnInfo, true);
|
||||
@ -1774,7 +1877,8 @@ export class PortProxy {
|
||||
);
|
||||
}
|
||||
|
||||
const networkProxyPort = domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
||||
const networkProxyPort =
|
||||
domainConfig.networkProxyPort || this.settings.networkProxyPort;
|
||||
|
||||
if (initialChunk && connectionRecord.isTLS) {
|
||||
// For TLS connections with initial chunk, forward to NetworkProxy
|
||||
@ -1812,7 +1916,10 @@ export class PortProxy {
|
||||
)}`
|
||||
);
|
||||
}
|
||||
} else if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
|
||||
} else if (
|
||||
this.settings.defaultAllowedIPs &&
|
||||
this.settings.defaultAllowedIPs.length > 0
|
||||
) {
|
||||
if (
|
||||
!isGlobIPAllowed(
|
||||
remoteIP,
|
||||
@ -1925,6 +2032,7 @@ export class PortProxy {
|
||||
initialDataReceived = false;
|
||||
|
||||
socket.once('data', (chunk: Buffer) => {
|
||||
// Clear timeout immediately
|
||||
if (initialTimeout) {
|
||||
clearTimeout(initialTimeout);
|
||||
initialTimeout = null;
|
||||
@ -1932,6 +2040,39 @@ export class PortProxy {
|
||||
|
||||
initialDataReceived = true;
|
||||
|
||||
// Add debugging ONLY if detailed logging is enabled - avoid heavy processing
|
||||
if (this.settings.enableTlsDebugLogging && SniHandler.isClientHello(chunk)) {
|
||||
// Move heavy debug logging to a separate async task to not block the flow
|
||||
setImmediate(() => {
|
||||
try {
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(chunk, true);
|
||||
const standardSNI = SniHandler.extractSNI(chunk, true);
|
||||
const pskSNI = SniHandler.extractSNIFromPSKExtension(chunk, true);
|
||||
|
||||
console.log(`[${connectionId}] ClientHello details: isResumption=${resumptionInfo.isResumption}, hasSNI=${resumptionInfo.hasSNI}`);
|
||||
console.log(`[${connectionId}] SNI extraction results: standardSNI=${standardSNI || 'none'}, pskSNI=${pskSNI || 'none'}`);
|
||||
} catch (err) {
|
||||
console.log(`[${connectionId}] Error in debug logging: ${err}`);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
// Block non-TLS connections on port 443
|
||||
// Always enforce TLS on standard HTTPS port
|
||||
if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
|
||||
console.log(
|
||||
`[${connectionId}] Non-TLS connection detected on port 443 in SNI handler. ` +
|
||||
`Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
connectionRecord.incomingTerminationReason = 'non_tls_blocked';
|
||||
this.incrementTerminationStat('incoming', 'non_tls_blocked');
|
||||
}
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'non_tls_blocked');
|
||||
return;
|
||||
}
|
||||
|
||||
// Try to extract SNI
|
||||
let serverName = '';
|
||||
|
||||
@ -1947,12 +2088,29 @@ export class PortProxy {
|
||||
// Check for session tickets if allowSessionTicket is disabled
|
||||
if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
|
||||
// Analyze for session resumption attempt
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
|
||||
const resumptionInfo = SniHandler.hasSessionResumption(
|
||||
chunk,
|
||||
this.settings.enableTlsDebugLogging
|
||||
);
|
||||
|
||||
// Only block if there's a session ticket without SNI
|
||||
if (resumptionInfo.isResumption && !resumptionInfo.hasSNI) {
|
||||
if (resumptionInfo.isResumption) {
|
||||
// Always log resumption attempt for easier debugging
|
||||
// Try to extract SNI for logging
|
||||
const extractedSNI = SniHandler.extractSNI(
|
||||
chunk,
|
||||
this.settings.enableTlsDebugLogging
|
||||
);
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
|
||||
`[${connectionId}] Session resumption detected in SNI handler. ` +
|
||||
`Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
|
||||
`SNI value: ${extractedSNI || 'None'}, ` +
|
||||
`allowSessionTicket: ${this.settings.allowSessionTicket}`
|
||||
);
|
||||
|
||||
// Block if there's session resumption without SNI
|
||||
if (!resumptionInfo.hasSNI) {
|
||||
console.log(
|
||||
`[${connectionId}] Session resumption detected in SNI handler without SNI and allowSessionTicket=false. ` +
|
||||
`Terminating connection to force new TLS handshake.`
|
||||
);
|
||||
if (connectionRecord.incomingTerminationReason === null) {
|
||||
@ -1962,26 +2120,28 @@ export class PortProxy {
|
||||
socket.end();
|
||||
this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
|
||||
return;
|
||||
} else if (resumptionInfo.isResumption && resumptionInfo.hasSNI) {
|
||||
if (this.settings.enableTlsDebugLogging) {
|
||||
} else {
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Session ticket with SNI detected in initial ClientHello. ` +
|
||||
`[${connectionId}] Session resumption with SNI detected in SNI handler. ` +
|
||||
`Allowing connection since SNI is present.`
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Create connection info object for SNI extraction
|
||||
const connInfo = {
|
||||
sourceIp: remoteIP,
|
||||
sourcePort: socket.remotePort || 0,
|
||||
destIp: socket.localAddress || '',
|
||||
destPort: socket.localPort || 0
|
||||
destPort: socket.localPort || 0,
|
||||
};
|
||||
|
||||
// Use the new processTlsPacket method for comprehensive handling
|
||||
serverName = SniHandler.processTlsPacket(
|
||||
serverName =
|
||||
SniHandler.processTlsPacket(
|
||||
chunk,
|
||||
connInfo,
|
||||
this.settings.enableTlsDebugLogging,
|
||||
|
||||
@ -15,19 +15,22 @@ export class SniHandler {
|
||||
private static readonly TLS_SESSION_TICKET_EXTENSION_TYPE = 0x0023;
|
||||
private static readonly TLS_SNI_HOST_NAME_TYPE = 0;
|
||||
private static readonly TLS_PSK_EXTENSION_TYPE = 0x0029; // Pre-Shared Key extension type for TLS 1.3
|
||||
private static readonly TLS_PSK_KE_MODES_EXTENSION_TYPE = 0x002D; // PSK Key Exchange Modes
|
||||
private static readonly TLS_EARLY_DATA_EXTENSION_TYPE = 0x002A; // Early Data (0-RTT) extension
|
||||
private static readonly TLS_PSK_KE_MODES_EXTENSION_TYPE = 0x002d; // PSK Key Exchange Modes
|
||||
private static readonly TLS_EARLY_DATA_EXTENSION_TYPE = 0x002a; // Early Data (0-RTT) extension
|
||||
|
||||
// Buffer for handling fragmented ClientHello messages
|
||||
private static fragmentedBuffers: Map<string, Buffer> = new Map();
|
||||
private static fragmentTimeout: number = 1000; // ms to wait for fragments before cleanup
|
||||
|
||||
// Session tracking for tab reactivation scenarios
|
||||
private static sessionCache: Map<string, {
|
||||
private static sessionCache: Map<
|
||||
string,
|
||||
{
|
||||
sni: string;
|
||||
timestamp: number;
|
||||
clientRandom?: Buffer;
|
||||
}> = new Map();
|
||||
}
|
||||
> = new Map();
|
||||
|
||||
// Longer timeout for session cache (24 hours by default)
|
||||
private static sessionCacheTimeout: number = 24 * 60 * 60 * 1000; // 24 hours in milliseconds
|
||||
@ -60,7 +63,7 @@ export class SniHandler {
|
||||
}
|
||||
});
|
||||
|
||||
expiredKeys.forEach(key => {
|
||||
expiredKeys.forEach((key) => {
|
||||
this.sessionCache.delete(key);
|
||||
});
|
||||
}
|
||||
@ -94,7 +97,7 @@ export class SniHandler {
|
||||
this.sessionCache.set(key, {
|
||||
sni,
|
||||
timestamp: Date.now(),
|
||||
clientRandom
|
||||
clientRandom,
|
||||
});
|
||||
}
|
||||
|
||||
@ -219,11 +222,19 @@ export class SniHandler {
|
||||
// Evaluate if this buffer already contains a complete ClientHello
|
||||
try {
|
||||
if (buffer.length >= 5) {
|
||||
const recordLength = (buffer[3] << 8) + buffer[4];
|
||||
if (buffer.length >= recordLength + 5) {
|
||||
// Get the record length from TLS header
|
||||
const recordLength = (buffer[3] << 8) + buffer[4] + 5; // +5 for the TLS record header itself
|
||||
log(`Initial buffer size: ${buffer.length}, expected record length: ${recordLength}`);
|
||||
|
||||
// Check if this buffer already contains a complete TLS record
|
||||
if (buffer.length >= recordLength) {
|
||||
log(`Initial buffer contains complete ClientHello, length: ${buffer.length}`);
|
||||
return buffer;
|
||||
}
|
||||
} else {
|
||||
log(
|
||||
`Initial buffer too small (${buffer.length} bytes), needs at least 5 bytes for TLS header`
|
||||
);
|
||||
}
|
||||
} catch (e) {
|
||||
log(`Error checking initial buffer completeness: ${e}`);
|
||||
@ -242,14 +253,59 @@ export class SniHandler {
|
||||
// Check if we now have a complete ClientHello
|
||||
try {
|
||||
if (newBuffer.length >= 5) {
|
||||
const recordLength = (newBuffer[3] << 8) + newBuffer[4];
|
||||
if (newBuffer.length >= recordLength + 5) {
|
||||
log(`Assembled complete ClientHello, length: ${newBuffer.length}`);
|
||||
// Get the record length from TLS header
|
||||
const recordLength = (newBuffer[3] << 8) + newBuffer[4] + 5; // +5 for the TLS record header itself
|
||||
log(
|
||||
`Reassembled buffer size: ${newBuffer.length}, expected record length: ${recordLength}`
|
||||
);
|
||||
|
||||
// Check if we have a complete TLS record now
|
||||
if (newBuffer.length >= recordLength) {
|
||||
log(
|
||||
`Assembled complete ClientHello, length: ${newBuffer.length}, needed: ${recordLength}`
|
||||
);
|
||||
|
||||
// Extract the complete TLS record (might be followed by more data)
|
||||
const completeRecord = newBuffer.slice(0, recordLength);
|
||||
|
||||
// Check if this record is indeed a ClientHello (type 1) at position 5
|
||||
if (
|
||||
completeRecord.length > 5 &&
|
||||
completeRecord[5] === this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE
|
||||
) {
|
||||
log(`Verified record is a ClientHello handshake message`);
|
||||
|
||||
// Complete message received, remove from tracking
|
||||
this.fragmentedBuffers.delete(connectionId);
|
||||
return completeRecord;
|
||||
} else {
|
||||
log(`Record is complete but not a ClientHello handshake, continuing to buffer`);
|
||||
// This might be another TLS record type preceding the ClientHello
|
||||
|
||||
// Try checking for a ClientHello starting at the end of this record
|
||||
if (newBuffer.length > recordLength + 5) {
|
||||
const nextRecordType = newBuffer[recordLength];
|
||||
log(
|
||||
`Next record type: ${nextRecordType} (looking for ${this.TLS_HANDSHAKE_RECORD_TYPE})`
|
||||
);
|
||||
|
||||
if (nextRecordType === this.TLS_HANDSHAKE_RECORD_TYPE) {
|
||||
const handshakeType = newBuffer[recordLength + 5];
|
||||
log(
|
||||
`Next handshake type: ${handshakeType} (looking for ${this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE})`
|
||||
);
|
||||
|
||||
if (handshakeType === this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE) {
|
||||
// Found a ClientHello in the next record, return the entire buffer
|
||||
log(`Found ClientHello in subsequent record, returning full buffer`);
|
||||
this.fragmentedBuffers.delete(connectionId);
|
||||
return newBuffer;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
log(`Error checking reassembled buffer completeness: ${e}`);
|
||||
}
|
||||
@ -285,12 +341,12 @@ export class SniHandler {
|
||||
*
|
||||
* @param buffer - The buffer containing a ClientHello message
|
||||
* @param enableLogging - Whether to enable logging
|
||||
* @returns true if the ClientHello contains session resumption mechanisms
|
||||
* @returns Object containing details about session resumption and SNI presence
|
||||
*/
|
||||
public static hasSessionResumption(
|
||||
buffer: Buffer,
|
||||
enableLogging: boolean = false
|
||||
): boolean {
|
||||
): { isResumption: boolean; hasSNI: boolean } {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[Session Resumption] ${message}`);
|
||||
@ -298,7 +354,7 @@ export class SniHandler {
|
||||
};
|
||||
|
||||
if (!this.isClientHello(buffer)) {
|
||||
return false;
|
||||
return { isResumption: false, hasSNI: false };
|
||||
}
|
||||
|
||||
try {
|
||||
@ -306,7 +362,7 @@ export class SniHandler {
|
||||
let pos = 5 + 1 + 3 + 2; // Position after handshake type, length and client version
|
||||
pos += 32; // Skip client random
|
||||
|
||||
if (pos + 1 > buffer.length) return false;
|
||||
if (pos + 1 > buffer.length) return { isResumption: false, hasSNI: false };
|
||||
|
||||
const sessionIdLength = buffer[pos];
|
||||
let hasNonEmptySessionId = sessionIdLength > 0;
|
||||
@ -319,17 +375,17 @@ export class SniHandler {
|
||||
pos += 1 + sessionIdLength;
|
||||
|
||||
// Skip cipher suites
|
||||
if (pos + 2 > buffer.length) return false;
|
||||
if (pos + 2 > buffer.length) return { isResumption: false, hasSNI: false };
|
||||
const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2 + cipherSuitesLength;
|
||||
|
||||
// Skip compression methods
|
||||
if (pos + 1 > buffer.length) return false;
|
||||
if (pos + 1 > buffer.length) return { isResumption: false, hasSNI: false };
|
||||
const compressionMethodsLength = buffer[pos];
|
||||
pos += 1 + compressionMethodsLength;
|
||||
|
||||
// Check for extensions
|
||||
if (pos + 2 > buffer.length) return false;
|
||||
if (pos + 2 > buffer.length) return { isResumption: false, hasSNI: false };
|
||||
|
||||
// Look for session resumption extensions
|
||||
const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
@ -337,7 +393,7 @@ export class SniHandler {
|
||||
|
||||
// Extensions end position
|
||||
const extensionsEnd = pos + extensionsLength;
|
||||
if (extensionsEnd > buffer.length) return false;
|
||||
if (extensionsEnd > buffer.length) return { isResumption: false, hasSNI: false };
|
||||
|
||||
// Track resumption indicators
|
||||
let hasSessionTicket = false;
|
||||
@ -410,8 +466,44 @@ export class SniHandler {
|
||||
pos += 2;
|
||||
|
||||
if (extensionType === this.TLS_SNI_EXTENSION_TYPE) {
|
||||
// Check that the SNI extension actually has content
|
||||
if (extensionLength > 0) {
|
||||
hasSNI = true;
|
||||
log('Found SNI extension');
|
||||
|
||||
// Try to extract the actual SNI value for logging
|
||||
try {
|
||||
// Skip to server_name_list_length (2 bytes)
|
||||
const tempPos = pos;
|
||||
if (tempPos + 2 <= extensionsEnd) {
|
||||
const nameListLength = (buffer[tempPos] << 8) + buffer[tempPos + 1];
|
||||
|
||||
// Skip server_name_list_length (2 bytes)
|
||||
if (tempPos + 2 + 1 <= extensionsEnd) {
|
||||
// Check name_type (should be 0 for hostname)
|
||||
if (buffer[tempPos + 2] === 0) {
|
||||
// Skip name_type (1 byte)
|
||||
if (tempPos + 3 + 2 <= extensionsEnd) {
|
||||
// Get name_length (2 bytes)
|
||||
const nameLength = (buffer[tempPos + 3] << 8) + buffer[tempPos + 4];
|
||||
|
||||
// Extract the hostname
|
||||
if (tempPos + 5 + nameLength <= extensionsEnd) {
|
||||
const hostname = buffer
|
||||
.slice(tempPos + 5, tempPos + 5 + nameLength)
|
||||
.toString('utf8');
|
||||
log(`Found SNI extension with server_name: ${hostname}`);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
log(`Error extracting SNI value: ${e}`);
|
||||
log('Found SNI extension with length: ' + extensionLength);
|
||||
}
|
||||
} else {
|
||||
log('Found empty SNI extension, treating as no SNI');
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
@ -425,22 +517,35 @@ export class SniHandler {
|
||||
}
|
||||
|
||||
// Consider it a resumption if any resumption mechanism is present
|
||||
const isResumption = hasSessionTicket || hasPSK || hasEarlyData ||
|
||||
(hasNonEmptySessionId && !hasPSK); // Legacy resumption
|
||||
const isResumption =
|
||||
hasSessionTicket || hasPSK || hasEarlyData || (hasNonEmptySessionId && !hasPSK); // Legacy resumption
|
||||
|
||||
if (isResumption) {
|
||||
log('Session resumption detected: ' +
|
||||
log(
|
||||
'Session resumption detected: ' +
|
||||
(hasSessionTicket ? 'session ticket, ' : '') +
|
||||
(hasPSK ? 'PSK, ' : '') +
|
||||
(hasEarlyData ? 'early data, ' : '') +
|
||||
(hasNonEmptySessionId ? 'session ID' : '') +
|
||||
(hasSNI ? ', with SNI' : ', without SNI'));
|
||||
(hasSNI ? ', with SNI' : ', without SNI')
|
||||
);
|
||||
}
|
||||
|
||||
// Return an object with both flags
|
||||
// For clarity: connections should be blocked if they have session resumption without SNI
|
||||
if (isResumption) {
|
||||
log(
|
||||
`Resumption summary - hasSNI: ${hasSNI ? 'yes' : 'no'}, resumption type: ${
|
||||
hasSessionTicket ? 'session ticket, ' : ''
|
||||
}${hasPSK ? 'PSK, ' : ''}${hasEarlyData ? 'early data, ' : ''}${
|
||||
hasNonEmptySessionId ? 'session ID' : ''
|
||||
}`
|
||||
);
|
||||
}
|
||||
|
||||
return {
|
||||
isResumption,
|
||||
hasSNI
|
||||
hasSNI,
|
||||
};
|
||||
} catch (error) {
|
||||
log(`Error checking for session resumption: ${error}`);
|
||||
@ -931,7 +1036,8 @@ export class SniHandler {
|
||||
// Try to extract using common patterns
|
||||
|
||||
// Pattern 1: Look for domain name pattern
|
||||
const domainPattern = /([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/i;
|
||||
const domainPattern =
|
||||
/([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/i;
|
||||
const domainMatch = identityStr.match(domainPattern);
|
||||
if (domainMatch && domainMatch[0]) {
|
||||
log(`Found domain in PSK identity: ${domainMatch[0]}`);
|
||||
@ -977,10 +1083,7 @@ export class SniHandler {
|
||||
* @param enableLogging - Whether to enable logging
|
||||
* @returns true if early data is detected
|
||||
*/
|
||||
public static hasEarlyData(
|
||||
buffer: Buffer,
|
||||
enableLogging: boolean = false
|
||||
): boolean {
|
||||
public static hasEarlyData(buffer: Buffer, enableLogging: boolean = false): boolean {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[Early Data] ${message}`);
|
||||
@ -1092,6 +1195,23 @@ export class SniHandler {
|
||||
}
|
||||
};
|
||||
|
||||
// Log buffer details for debugging
|
||||
if (enableLogging) {
|
||||
log(`Buffer size: ${buffer.length} bytes`);
|
||||
log(`Buffer starts with: ${buffer.slice(0, Math.min(10, buffer.length)).toString('hex')}`);
|
||||
|
||||
if (buffer.length >= 5) {
|
||||
const recordType = buffer[0];
|
||||
const majorVersion = buffer[1];
|
||||
const minorVersion = buffer[2];
|
||||
const recordLength = (buffer[3] << 8) + buffer[4];
|
||||
|
||||
log(
|
||||
`TLS Record: type=${recordType}, version=${majorVersion}.${minorVersion}, length=${recordLength}`
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
// Check if we need to handle fragmented packets
|
||||
let processBuffer = buffer;
|
||||
if (connectionInfo) {
|
||||
@ -1126,65 +1246,64 @@ export class SniHandler {
|
||||
return standardSni;
|
||||
}
|
||||
|
||||
// Check for tab reactivation pattern
|
||||
const isTabReactivation = this.isTabReactivationHandshake(processBuffer, enableLogging);
|
||||
if (isTabReactivation && connectionInfo?.sourceIp) {
|
||||
// Try to get the SNI from our session cache for tab reactivation
|
||||
const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
|
||||
if (cachedSni) {
|
||||
log(`Retrieved cached SNI for tab reactivation: ${cachedSni}`);
|
||||
return cachedSni;
|
||||
}
|
||||
log('Tab reactivation detected but no cached SNI found');
|
||||
}
|
||||
|
||||
// Check for TLS 1.3 early data (0-RTT)
|
||||
const hasEarly = this.hasEarlyData(processBuffer, enableLogging);
|
||||
if (hasEarly) {
|
||||
log('TLS 1.3 Early Data detected, trying session cache');
|
||||
// For 0-RTT, check the session cache
|
||||
if (connectionInfo?.sourceIp) {
|
||||
const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
|
||||
if (cachedSni) {
|
||||
log(`Retrieved cached SNI for 0-RTT: ${cachedSni}`);
|
||||
return cachedSni;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// If standard extraction failed and we have a valid ClientHello,
|
||||
// this might be a session resumption with non-standard format
|
||||
// Check for session resumption when standard SNI extraction fails
|
||||
// This may help in chained proxy scenarios
|
||||
if (this.isClientHello(processBuffer)) {
|
||||
log('Detected ClientHello without standard SNI, possible session resumption');
|
||||
const resumptionInfo = this.hasSessionResumption(processBuffer, enableLogging);
|
||||
|
||||
// Try to extract from PSK extension (TLS 1.3 resumption)
|
||||
if (resumptionInfo.isResumption) {
|
||||
log(`Detected session resumption in ClientHello without standard SNI`);
|
||||
|
||||
// Try to extract SNI from PSK extension
|
||||
const pskSni = this.extractSNIFromPSKExtension(processBuffer, enableLogging);
|
||||
if (pskSni) {
|
||||
log(`Extracted SNI from PSK extension: ${pskSni}`);
|
||||
|
||||
// Cache this SNI for future reference
|
||||
// Cache this SNI
|
||||
if (connectionInfo?.sourceIp) {
|
||||
const clientRandom = this.extractClientRandom(processBuffer);
|
||||
this.cacheSession(connectionInfo.sourceIp, pskSni, clientRandom);
|
||||
log(`Cached PSK-derived SNI: ${pskSni}`);
|
||||
}
|
||||
|
||||
return pskSni;
|
||||
}
|
||||
|
||||
// If we have a session ticket but no SNI or PSK identity,
|
||||
// check our session cache as a last resort
|
||||
// If session resumption has SNI in a non-standard location,
|
||||
// we need to apply heuristics
|
||||
if (connectionInfo?.sourceIp) {
|
||||
const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
|
||||
if (cachedSni) {
|
||||
log(`Using cached SNI as last resort: ${cachedSni}`);
|
||||
log(`Using cached SNI for session resumption: ${cachedSni}`);
|
||||
return cachedSni;
|
||||
}
|
||||
}
|
||||
|
||||
log('Failed to extract SNI from resumption mechanisms');
|
||||
}
|
||||
}
|
||||
|
||||
// Try tab reactivation and other recovery methods...
|
||||
// (existing code remains unchanged)
|
||||
|
||||
// Log detailed info about the ClientHello when SNI extraction fails
|
||||
if (this.isClientHello(processBuffer) && enableLogging) {
|
||||
log(`SNI extraction failed for ClientHello. Buffer details:`);
|
||||
|
||||
if (processBuffer.length >= 43) {
|
||||
// ClientHello with at least client random
|
||||
const clientRandom = processBuffer.slice(11, 11 + 32).toString('hex');
|
||||
log(`Client Random: ${clientRandom}`);
|
||||
|
||||
// Log session ID length and presence
|
||||
const sessionIdLength = processBuffer[43];
|
||||
log(`Session ID length: ${sessionIdLength}`);
|
||||
|
||||
if (sessionIdLength > 0 && processBuffer.length >= 44 + sessionIdLength) {
|
||||
const sessionId = processBuffer.slice(44, 44 + sessionIdLength).toString('hex');
|
||||
log(`Session ID: ${sessionId}`);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Existing code for fallback methods continues...
|
||||
return undefined;
|
||||
}
|
||||
|
||||
@ -1202,6 +1321,7 @@ export class SniHandler {
|
||||
* @param cachedSni - Optional cached SNI from previous connections (for racing detection)
|
||||
* @returns The extracted server name or undefined if not found or more data needed
|
||||
*/
|
||||
|
||||
public static processTlsPacket(
|
||||
buffer: Buffer,
|
||||
connectionInfo: {
|
||||
@ -1254,12 +1374,76 @@ export class SniHandler {
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Enhanced session resumption detection
|
||||
if (this.isClientHello(buffer)) {
|
||||
const resumptionInfo = this.hasSessionResumption(buffer, enableLogging);
|
||||
|
||||
if (resumptionInfo.isResumption) {
|
||||
log(`Session resumption detected in TLS packet`);
|
||||
|
||||
// Always try standard SNI extraction first
|
||||
const standardSni = this.extractSNI(buffer, enableLogging);
|
||||
if (standardSni) {
|
||||
log(`Found standard SNI in session resumption: ${standardSni}`);
|
||||
|
||||
// Cache this SNI
|
||||
this.cacheSession(connectionInfo.sourceIp, standardSni);
|
||||
return standardSni;
|
||||
}
|
||||
|
||||
// Enhanced session resumption SNI extraction
|
||||
// Try extracting from PSK identity
|
||||
const pskSni = this.extractSNIFromPSKExtension(buffer, enableLogging);
|
||||
if (pskSni) {
|
||||
log(`Extracted SNI from PSK extension: ${pskSni}`);
|
||||
this.cacheSession(connectionInfo.sourceIp, pskSni);
|
||||
return pskSni;
|
||||
}
|
||||
|
||||
// Additional check for SNI in session tickets
|
||||
if (enableLogging) {
|
||||
log(`Checking for session ticket information to extract server name...`);
|
||||
// Log more details for debugging
|
||||
try {
|
||||
// Look at the raw buffer for patterns
|
||||
log(`Buffer hexdump (first 100 bytes): ${buffer.slice(0, 100).toString('hex')}`);
|
||||
|
||||
// Try to find hostname-like patterns in the buffer
|
||||
const bufferStr = buffer.toString('utf8', 0, buffer.length);
|
||||
const hostnamePattern =
|
||||
/([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/gi;
|
||||
const hostMatches = bufferStr.match(hostnamePattern);
|
||||
|
||||
if (hostMatches && hostMatches.length > 0) {
|
||||
log(`Possible hostnames found in buffer: ${hostMatches.join(', ')}`);
|
||||
|
||||
// Check if any match looks like a valid domain
|
||||
for (const match of hostMatches) {
|
||||
if (match.includes('.') && match.length > 3) {
|
||||
log(`Potential SNI found in session data: ${match}`);
|
||||
// Don't automatically use this - just log for debugging
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
log(`Error scanning for patterns: ${e}`);
|
||||
}
|
||||
}
|
||||
|
||||
// If we still don't have SNI, check for cached sessions
|
||||
const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
|
||||
if (cachedSni) {
|
||||
log(`Using cached SNI for session resumption: ${cachedSni}`);
|
||||
return cachedSni;
|
||||
}
|
||||
|
||||
log(`Session resumption without extractable SNI`);
|
||||
// If allowSessionTicket=false, should be rejected by caller
|
||||
}
|
||||
}
|
||||
|
||||
// For handshake messages, try the full extraction process
|
||||
const sni = this.extractSNIWithResumptionSupport(
|
||||
buffer,
|
||||
connectionInfo,
|
||||
enableLogging
|
||||
);
|
||||
const sni = this.extractSNIWithResumptionSupport(buffer, connectionInfo, enableLogging);
|
||||
|
||||
if (sni) {
|
||||
log(`Successfully extracted SNI: ${sni}`);
|
||||
|
||||
Reference in New Issue
Block a user