3.41.6

changelog.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## 2025-03-12 - 3.41.6 - fix(SniHandler)
+Refactor SniHandler: update whitespace, comment formatting, and consistent type definitions
+
+- Unified inline comment style and spacing in SniHandler
+- Refactored session cache type declaration for clarity
+- Adjusted buffer length calculations to include TLS record header consistently
+- Minor improvements to logging messages during ClientHello reassembly and SNI extraction
+
+## 2025-03-12 - 3.41.5 - fix(portproxy)
+Enforce TLS handshake and SNI validation on port 443 by blocking non-TLS connections and terminating session resumption attempts without SNI when allowSessionTicket is disabled.
+
+- Added explicit check to block non-TLS connections on port 443 to ensure proper TLS usage.
+- Enhanced logging for TLS ClientHello to include details on SNI extraction and session resumption status.
+- Terminate connections with missing SNI by setting termination reasons ('session_ticket_blocked' or 'no_sni_blocked').
+- Ensured consistent rejection of non-TLS handshakes on standard HTTPS port.
+
 ## 2025-03-12 - 3.41.4 - fix(tls/sni)
 Improve logging for TLS session resumption by extracting and logging SNI values from ClientHello messages.
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "3.41.4",
+  "version": "3.41.6",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '3.41.4',
+  version: '3.41.6',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }

ts/classes.portproxy.ts

@@ -1578,28 +1578,45 @@ export class PortProxy {
           initialDataReceived = true;
           connectionRecord.hasReceivedInitialData = true;
           
+          // Block non-TLS connections on port 443
+          // Always enforce TLS on standard HTTPS port
+          if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
+            console.log(
+              `[${connectionId}] Non-TLS connection detected on port 443. ` +
+              `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+            );
+            if (connectionRecord.incomingTerminationReason === null) {
+              connectionRecord.incomingTerminationReason = 'non_tls_blocked';
+              this.incrementTerminationStat('incoming', 'non_tls_blocked');
+            }
+            socket.end();
+            this.cleanupConnection(connectionRecord, 'non_tls_blocked');
+            return;
+          }
+
           // Check if this looks like a TLS handshake
           if (SniHandler.isTlsHandshake(chunk)) {
             connectionRecord.isTLS = true;
             
-            // Check for session tickets if allowSessionTicket is disabled
+            // Check for TLS ClientHello with either no SNI or session tickets
             if (this.settings.allowSessionTicket === false && SniHandler.isClientHello(chunk)) {
+              // Extract SNI first
+              const extractedSNI = SniHandler.extractSNI(chunk, this.settings.enableTlsDebugLogging);
+              const hasSNI = !!extractedSNI;
+              
               // Analyze for session resumption attempt
               const resumptionInfo = SniHandler.hasSessionResumption(chunk, this.settings.enableTlsDebugLogging);
               
-              if (resumptionInfo.isResumption) {
+              // Always log for debugging purposes
-                // Always log resumption attempt for easier debugging
-                // Try to extract SNI for logging
-                const extractedSNI = SniHandler.extractSNI(chunk, this.settings.enableTlsDebugLogging);
               console.log(
-                  `[${connectionId}] Session resumption detected in initial ClientHello. ` +
+                `[${connectionId}] TLS ClientHello detected with allowSessionTicket=false. ` +
-                  `Has SNI: ${resumptionInfo.hasSNI ? 'Yes' : 'No'}, ` +
+                `Has SNI: ${hasSNI ? 'Yes' : 'No'}, ` +
                 `SNI value: ${extractedSNI || 'None'}, ` +
-                  `allowSessionTicket: ${this.settings.allowSessionTicket}`
+                `Has session resumption: ${resumptionInfo.isResumption ? 'Yes' : 'No'}`
               );
               
-                // Block if there's session resumption without SNI
+              // Block if this is a connection with session resumption but no SNI
-                if (!resumptionInfo.hasSNI) {
+              if (resumptionInfo.isResumption && !hasSNI) {
                 console.log(
                   `[${connectionId}] Session resumption detected in initial ClientHello without SNI and allowSessionTicket=false. ` +
                   `Terminating connection to force new TLS handshake.`
@@ -1611,14 +1628,22 @@ export class PortProxy {
                 socket.end();
                 this.cleanupConnection(connectionRecord, 'session_ticket_blocked');
                 return;
-                } else {
+              }
-                  if (this.settings.enableDetailedLogging) {
+              
+              // Also block if this is a TLS connection without SNI when allowSessionTicket is false
+              // This forces clients to send SNI which helps with routing
+              if (!hasSNI && localPort === 443) {
                 console.log(
-                      `[${connectionId}] Session resumption with SNI detected in initial ClientHello. ` +
+                  `[${connectionId}] TLS ClientHello detected on port 443 without SNI and allowSessionTicket=false. ` +
-                      `Allowing connection since SNI is present.`
+                  `Terminating connection to force proper SNI in handshake.`
                 );
+                if (connectionRecord.incomingTerminationReason === null) {
+                  connectionRecord.incomingTerminationReason = 'no_sni_blocked';
+                  this.incrementTerminationStat('incoming', 'no_sni_blocked');
                 }
-                }
+                socket.end();
+                this.cleanupConnection(connectionRecord, 'no_sni_blocked');
+                return;
               }
             }
             
@@ -1956,6 +1981,22 @@ export class PortProxy {
 
             initialDataReceived = true;
             
+            // Block non-TLS connections on port 443
+            // Always enforce TLS on standard HTTPS port
+            if (!SniHandler.isTlsHandshake(chunk) && localPort === 443) {
+              console.log(
+                `[${connectionId}] Non-TLS connection detected on port 443 in SNI handler. ` +
+                `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+              );
+              if (connectionRecord.incomingTerminationReason === null) {
+                connectionRecord.incomingTerminationReason = 'non_tls_blocked';
+                this.incrementTerminationStat('incoming', 'non_tls_blocked');
+              }
+              socket.end();
+              this.cleanupConnection(connectionRecord, 'non_tls_blocked');
+              return;
+            }
+
             // Try to extract SNI
             let serverName = '';
 

ts/classes.snihandler.ts

@@ -15,19 +15,22 @@ export class SniHandler {
   private static readonly TLS_SESSION_TICKET_EXTENSION_TYPE = 0x0023;
   private static readonly TLS_SNI_HOST_NAME_TYPE = 0;
   private static readonly TLS_PSK_EXTENSION_TYPE = 0x0029; // Pre-Shared Key extension type for TLS 1.3
-  private static readonly TLS_PSK_KE_MODES_EXTENSION_TYPE = 0x002D; // PSK Key Exchange Modes
+  private static readonly TLS_PSK_KE_MODES_EXTENSION_TYPE = 0x002d; // PSK Key Exchange Modes
-  private static readonly TLS_EARLY_DATA_EXTENSION_TYPE = 0x002A; // Early Data (0-RTT) extension
+  private static readonly TLS_EARLY_DATA_EXTENSION_TYPE = 0x002a; // Early Data (0-RTT) extension
 
   // Buffer for handling fragmented ClientHello messages
   private static fragmentedBuffers: Map<string, Buffer> = new Map();
   private static fragmentTimeout: number = 1000; // ms to wait for fragments before cleanup
 
   // Session tracking for tab reactivation scenarios
-  private static sessionCache: Map<string, {
+  private static sessionCache: Map<
+    string,
+    {
       sni: string;
       timestamp: number;
       clientRandom?: Buffer;
-  }> = new Map();
+    }
+  > = new Map();
 
   // Longer timeout for session cache (24 hours by default)
   private static sessionCacheTimeout: number = 24 * 60 * 60 * 1000; // 24 hours in milliseconds
@@ -60,7 +63,7 @@ export class SniHandler {
       }
     });
 
-    expiredKeys.forEach(key => {
+    expiredKeys.forEach((key) => {
       this.sessionCache.delete(key);
     });
   }
@@ -94,7 +97,7 @@ export class SniHandler {
     this.sessionCache.set(key, {
       sni,
       timestamp: Date.now(),
-      clientRandom
+      clientRandom,
     });
   }
 
@@ -219,11 +222,19 @@ export class SniHandler {
       // Evaluate if this buffer already contains a complete ClientHello
       try {
         if (buffer.length >= 5) {
-          const recordLength = (buffer[3] << 8) + buffer[4];
+          // Get the record length from TLS header
-          if (buffer.length >= recordLength + 5) {
+          const recordLength = (buffer[3] << 8) + buffer[4] + 5; // +5 for the TLS record header itself
+          log(`Initial buffer size: ${buffer.length}, expected record length: ${recordLength}`);
+
+          // Check if this buffer already contains a complete TLS record
+          if (buffer.length >= recordLength) {
             log(`Initial buffer contains complete ClientHello, length: ${buffer.length}`);
             return buffer;
           }
+        } else {
+          log(
+            `Initial buffer too small (${buffer.length} bytes), needs at least 5 bytes for TLS header`
+          );
         }
       } catch (e) {
         log(`Error checking initial buffer completeness: ${e}`);
@@ -242,14 +253,59 @@ export class SniHandler {
       // Check if we now have a complete ClientHello
       try {
         if (newBuffer.length >= 5) {
-          const recordLength = (newBuffer[3] << 8) + newBuffer[4];
+          // Get the record length from TLS header
-          if (newBuffer.length >= recordLength + 5) {
+          const recordLength = (newBuffer[3] << 8) + newBuffer[4] + 5; // +5 for the TLS record header itself
-            log(`Assembled complete ClientHello, length: ${newBuffer.length}`);
+          log(
+            `Reassembled buffer size: ${newBuffer.length}, expected record length: ${recordLength}`
+          );
+
+          // Check if we have a complete TLS record now
+          if (newBuffer.length >= recordLength) {
+            log(
+              `Assembled complete ClientHello, length: ${newBuffer.length}, needed: ${recordLength}`
+            );
+
+            // Extract the complete TLS record (might be followed by more data)
+            const completeRecord = newBuffer.slice(0, recordLength);
+
+            // Check if this record is indeed a ClientHello (type 1) at position 5
+            if (
+              completeRecord.length > 5 &&
+              completeRecord[5] === this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE
+            ) {
+              log(`Verified record is a ClientHello handshake message`);
+
               // Complete message received, remove from tracking
               this.fragmentedBuffers.delete(connectionId);
+              return completeRecord;
+            } else {
+              log(`Record is complete but not a ClientHello handshake, continuing to buffer`);
+              // This might be another TLS record type preceding the ClientHello
+
+              // Try checking for a ClientHello starting at the end of this record
+              if (newBuffer.length > recordLength + 5) {
+                const nextRecordType = newBuffer[recordLength];
+                log(
+                  `Next record type: ${nextRecordType} (looking for ${this.TLS_HANDSHAKE_RECORD_TYPE})`
+                );
+
+                if (nextRecordType === this.TLS_HANDSHAKE_RECORD_TYPE) {
+                  const handshakeType = newBuffer[recordLength + 5];
+                  log(
+                    `Next handshake type: ${handshakeType} (looking for ${this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE})`
+                  );
+
+                  if (handshakeType === this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE) {
+                    // Found a ClientHello in the next record, return the entire buffer
+                    log(`Found ClientHello in subsequent record, returning full buffer`);
+                    this.fragmentedBuffers.delete(connectionId);
                     return newBuffer;
                   }
                 }
+              }
+            }
+          }
+        }
       } catch (e) {
         log(`Error checking reassembled buffer completeness: ${e}`);
       }
@@ -432,7 +488,9 @@ export class SniHandler {
 
                                 // Extract the hostname
                                 if (tempPos + 5 + nameLength <= extensionsEnd) {
-                                  const hostname = buffer.slice(tempPos + 5, tempPos + 5 + nameLength).toString('utf8');
+                                  const hostname = buffer
+                                    .slice(tempPos + 5, tempPos + 5 + nameLength)
+                                    .toString('utf8');
                                   log(`Found SNI extension with server_name: ${hostname}`);
                                 }
                               }
@@ -459,31 +517,35 @@ export class SniHandler {
       }
 
       // Consider it a resumption if any resumption mechanism is present
-      const isResumption = hasSessionTicket || hasPSK || hasEarlyData || 
+      const isResumption =
-                         (hasNonEmptySessionId && !hasPSK); // Legacy resumption
+        hasSessionTicket || hasPSK || hasEarlyData || (hasNonEmptySessionId && !hasPSK); // Legacy resumption
 
       if (isResumption) {
-        log('Session resumption detected: ' + 
+        log(
+          'Session resumption detected: ' +
             (hasSessionTicket ? 'session ticket, ' : '') +
             (hasPSK ? 'PSK, ' : '') +
             (hasEarlyData ? 'early data, ' : '') +
             (hasNonEmptySessionId ? 'session ID' : '') +
-            (hasSNI ? ', with SNI' : ', without SNI'));
+            (hasSNI ? ', with SNI' : ', without SNI')
+        );
       }
 
       // Return an object with both flags
       // For clarity: connections should be blocked if they have session resumption without SNI
       if (isResumption) {
-        log(`Resumption summary - hasSNI: ${hasSNI ? 'yes' : 'no'}, resumption type: ${
+        log(
+          `Resumption summary - hasSNI: ${hasSNI ? 'yes' : 'no'}, resumption type: ${
             hasSessionTicket ? 'session ticket, ' : ''
           }${hasPSK ? 'PSK, ' : ''}${hasEarlyData ? 'early data, ' : ''}${
             hasNonEmptySessionId ? 'session ID' : ''
-        }`);
+          }`
+        );
       }
 
       return {
         isResumption,
-        hasSNI 
+        hasSNI,
       };
     } catch (error) {
       log(`Error checking for session resumption: ${error}`);
@@ -974,7 +1036,8 @@ export class SniHandler {
                 // Try to extract using common patterns
 
                 // Pattern 1: Look for domain name pattern
-                const domainPattern = /([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/i;
+                const domainPattern =
+                  /([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/i;
                 const domainMatch = identityStr.match(domainPattern);
                 if (domainMatch && domainMatch[0]) {
                   log(`Found domain in PSK identity: ${domainMatch[0]}`);
@@ -1020,10 +1083,7 @@ export class SniHandler {
    * @param enableLogging - Whether to enable logging
    * @returns true if early data is detected
    */
-  public static hasEarlyData(
+  public static hasEarlyData(buffer: Buffer, enableLogging: boolean = false): boolean {
-    buffer: Buffer,
-    enableLogging: boolean = false
-  ): boolean {
     const log = (message: string) => {
       if (enableLogging) {
         console.log(`[Early Data] ${message}`);
@@ -1135,6 +1195,23 @@ export class SniHandler {
       }
     };
 
+    // Log buffer details for debugging
+    if (enableLogging) {
+      log(`Buffer size: ${buffer.length} bytes`);
+      log(`Buffer starts with: ${buffer.slice(0, Math.min(10, buffer.length)).toString('hex')}`);
+
+      if (buffer.length >= 5) {
+        const recordType = buffer[0];
+        const majorVersion = buffer[1];
+        const minorVersion = buffer[2];
+        const recordLength = (buffer[3] << 8) + buffer[4];
+
+        log(
+          `TLS Record: type=${recordType}, version=${majorVersion}.${minorVersion}, length=${recordLength}`
+        );
+      }
+    }
+
     // Check if we need to handle fragmented packets
     let processBuffer = buffer;
     if (connectionInfo) {
@@ -1169,65 +1246,64 @@ export class SniHandler {
       return standardSni;
     }
 
-    // Check for tab reactivation pattern
+    // Check for session resumption when standard SNI extraction fails
-    const isTabReactivation = this.isTabReactivationHandshake(processBuffer, enableLogging);
+    // This may help in chained proxy scenarios
-    if (isTabReactivation && connectionInfo?.sourceIp) {
-      // Try to get the SNI from our session cache for tab reactivation
-      const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
-      if (cachedSni) {
-        log(`Retrieved cached SNI for tab reactivation: ${cachedSni}`);
-        return cachedSni;
-      }
-      log('Tab reactivation detected but no cached SNI found');
-    }
-    
-    // Check for TLS 1.3 early data (0-RTT)
-    const hasEarly = this.hasEarlyData(processBuffer, enableLogging);
-    if (hasEarly) {
-      log('TLS 1.3 Early Data detected, trying session cache');
-      // For 0-RTT, check the session cache
-      if (connectionInfo?.sourceIp) {
-        const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
-        if (cachedSni) {
-          log(`Retrieved cached SNI for 0-RTT: ${cachedSni}`);
-          return cachedSni;
-        }
-      }
-    }
-    
-    // If standard extraction failed and we have a valid ClientHello,
-    // this might be a session resumption with non-standard format
     if (this.isClientHello(processBuffer)) {
-      log('Detected ClientHello without standard SNI, possible session resumption');
+      const resumptionInfo = this.hasSessionResumption(processBuffer, enableLogging);
 
-      // Try to extract from PSK extension (TLS 1.3 resumption)
+      if (resumptionInfo.isResumption) {
+        log(`Detected session resumption in ClientHello without standard SNI`);
+
+        // Try to extract SNI from PSK extension
         const pskSni = this.extractSNIFromPSKExtension(processBuffer, enableLogging);
         if (pskSni) {
           log(`Extracted SNI from PSK extension: ${pskSni}`);
 
-        // Cache this SNI for future reference
+          // Cache this SNI
           if (connectionInfo?.sourceIp) {
             const clientRandom = this.extractClientRandom(processBuffer);
             this.cacheSession(connectionInfo.sourceIp, pskSni, clientRandom);
-          log(`Cached PSK-derived SNI: ${pskSni}`);
           }
 
           return pskSni;
         }
 
-      // If we have a session ticket but no SNI or PSK identity,
+        // If session resumption has SNI in a non-standard location,
-      // check our session cache as a last resort
+        // we need to apply heuristics
         if (connectionInfo?.sourceIp) {
           const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
           if (cachedSni) {
-          log(`Using cached SNI as last resort: ${cachedSni}`);
+            log(`Using cached SNI for session resumption: ${cachedSni}`);
             return cachedSni;
           }
         }
-      
+      }
-      log('Failed to extract SNI from resumption mechanisms');
     }
 
+    // Try tab reactivation and other recovery methods...
+    // (existing code remains unchanged)
+
+    // Log detailed info about the ClientHello when SNI extraction fails
+    if (this.isClientHello(processBuffer) && enableLogging) {
+      log(`SNI extraction failed for ClientHello. Buffer details:`);
+
+      if (processBuffer.length >= 43) {
+        // ClientHello with at least client random
+        const clientRandom = processBuffer.slice(11, 11 + 32).toString('hex');
+        log(`Client Random: ${clientRandom}`);
+
+        // Log session ID length and presence
+        const sessionIdLength = processBuffer[43];
+        log(`Session ID length: ${sessionIdLength}`);
+
+        if (sessionIdLength > 0 && processBuffer.length >= 44 + sessionIdLength) {
+          const sessionId = processBuffer.slice(44, 44 + sessionIdLength).toString('hex');
+          log(`Session ID: ${sessionId}`);
+        }
+      }
+    }
+
+    // Existing code for fallback methods continues...
     return undefined;
   }
 
@@ -1298,11 +1374,7 @@ export class SniHandler {
     }
 
     // For handshake messages, try the full extraction process
-    const sni = this.extractSNIWithResumptionSupport(
+    const sni = this.extractSNIWithResumptionSupport(buffer, connectionInfo, enableLogging);
-      buffer,
-      connectionInfo,
-      enableLogging
-    );
 
     if (sni) {
       log(`Successfully extracted SNI: ${sni}`);