4.1.5

fix(TLS/ConnectionHandler): Improve handling of TLS session resumption without SNI by sending an unrecognized_name alert instead of immediately terminating the connection. This change adds a grace period for the client to retry the handshake with proper SNI and cleans up the connection if no valid response is received.
4.1.4
2025-03-16 13:19:37 +00:00 · 2025-03-16 13:19:37 +00:00 · 2025-03-15 19:10:54 +00:00 · 2025-03-15 19:10:54 +00:00 · 2025-03-15 18:51:50 +00:00 · 2025-03-15 18:51:50 +00:00
4 changed files with 251 additions and 162 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,27 @@
 # Changelog
 ## 2025-03-16 - 4.1.5 - fix(TLS/ConnectionHandler)
 Improve handling of TLS session resumption without SNI by sending an 'unrecognized_name' alert instead of immediately terminating the connection. This change adds a grace period for the client to retry the handshake with proper SNI and cleans up the connection if no valid response is received.
 - Send a TLS warning (unrecognized_name alert, code 112) when a ClientHello is received without SNI and session tickets are disallowed.
 - Utilize socket cork/uncork to ensure the alert is sent as a single packet.
 - Add a 5-second alert timeout and a subsequent 30-second grace period to allow clients to initiate a new handshake with SNI.
 - Clean up and terminate the connection if no valid SNI is provided after the grace period, logging appropriate termination reasons.
 ## 2025-03-15 - 4.1.4 - fix(ConnectionHandler)
 Refactor ConnectionHandler code formatting for improved readability and consistency in log messages and whitespace handling
 - Standardized indentation and spacing in method signatures and log statements
 - Aligned inline comments and string concatenations for clarity
 - Minor refactoring of parameter formatting without changing functionality
 ## 2025-03-15 - 4.1.3 - fix(connectionhandler)
 Improve handling of TLS ClientHello messages when allowSessionTicket is disabled and no SNI is provided by sending a warning alert (unrecognized_name, code 0x70) with a proper callback and delay to ensure the alert is transmitted before closing the connection.
 - Replace the fatal alert (0x02/0x40) with a warning alert (0x01/0x70) to notify clients to send SNI.
 - Use socket.write callback to wait 100ms after sending the alert before terminating the connection.
 - Remove the previous short (50ms) delay in favor of a more reliable delay mechanism before cleanup.
 ## 2025-03-15 - 4.1.2 - fix(connectionhandler)
 Send proper TLS alert before terminating connections when SNI is missing and session tickets are disallowed.
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "4.1.2",
+  "version": "4.1.5",
  "private": false,
  "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
  "main": "dist_ts/index.js",
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '4.1.2',
+  version: '4.1.5',
  description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }
--- a/ts/classes.pp.connectionhandler.ts
+++ b/ts/classes.pp.connectionhandler.ts
@ -1,5 +1,9 @@
 import * as plugins from './plugins.js';
-import type { IConnectionRecord, IDomainConfig, IPortProxySettings } from './classes.pp.interfaces.js';
+import type {
  IConnectionRecord,
  IDomainConfig,
  IPortProxySettings,
 } from './classes.pp.interfaces.js';
 import { ConnectionManager } from './classes.pp.connectionmanager.js';
 import { SecurityManager } from './classes.pp.securitymanager.js';
 import { DomainConfigManager } from './classes.pp.domainconfigmanager.js';
@ -73,8 +77,8 @@ export class ConnectionHandler {
    if (this.settings.enableDetailedLogging) {
      console.log(
        `[${connectionId}] New connection from ${remoteIP} on port ${localPort}. ` +
-        `Keep-Alive: ${record.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` +
+          `Keep-Alive: ${record.hasKeepAlive ? 'Enabled' : 'Disabled'}. ` +
-        `Active connections: ${this.connectionManager.getConnectionCount()}`
+          `Active connections: ${this.connectionManager.getConnectionCount()}`
      );
    } else {
      console.log(
@ -94,7 +98,10 @@ export class ConnectionHandler {
  /**
   * Handle a connection that should be forwarded to NetworkProxy
   */
-  private handleNetworkProxyConnection(socket: plugins.net.Socket, record: IConnectionRecord): void {
+  private handleNetworkProxyConnection(
    socket: plugins.net.Socket,
    record: IConnectionRecord
  ): void {
    const connectionId = record.id;
    let initialDataReceived = false;
@ -104,7 +111,7 @@ export class ConnectionHandler {
        console.log(
          `[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${record.remoteIP}`
        );
-        
+
        // Add a grace period instead of immediate termination
        setTimeout(() => {
          if (!initialDataReceived) {
@ -144,7 +151,7 @@ export class ConnectionHandler {
      if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) {
        console.log(
          `[${connectionId}] Non-TLS connection detected on port 443. ` +
-          `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+            `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
        );
        if (record.incomingTerminationReason === null) {
          record.incomingTerminationReason = 'non_tls_blocked';
@ -159,8 +166,8 @@ export class ConnectionHandler {
      if (this.tlsManager.isTlsHandshake(chunk)) {
        record.isTLS = true;
-        // Check session tickets if they're disabled
+        // Check for ClientHello to extract SNI - but don't enforce it for NetworkProxy
-        if (this.settings.allowSessionTicket === false && this.tlsManager.isClientHello(chunk)) {
+        if (this.tlsManager.isClientHello(chunk)) {
          // Create connection info for SNI extraction
          const connInfo = {
            sourceIp: record.remoteIP,
@ -169,73 +176,46 @@ export class ConnectionHandler {
            destPort: socket.localPort || 0,
          };
-          // Extract SNI for domain-specific NetworkProxy handling
+          // Extract SNI for domain-specific NetworkProxy handling if available
          const serverName = this.tlsManager.extractSNI(chunk, connInfo);
-          // If allowSessionTicket is false and we can't determine SNI, terminate the connection
+          // For NetworkProxy connections, we'll allow session tickets even without SNI
-          if (!serverName) {
+          // We'll only use the serverName if available to determine the specific NetworkProxy port
-            // Always block when allowSessionTicket is false and there's no SNI
+          if (serverName) {
-            // Don't even check for session resumption - be strict
+            // Save domain config and SNI in connection record
-            console.log(
+            const domainConfig = this.domainConfigManager.findDomainConfig(serverName);
-              `[${connectionId}] No SNI detected in ClientHello and allowSessionTicket=false. ` +
+            record.domainConfig = domainConfig;
-              `Terminating connection to force new TLS handshake with SNI.`
+            record.lockedDomain = serverName;
            );
            // Send a proper TLS alert before ending the connection
            // This helps browsers like Chrome properly recognize the error
            const alertData = Buffer.from([
              0x15,       // Alert record type
              0x03, 0x03, // TLS 1.2 version
              0x00, 0x02, // Length
              0x02,       // Fatal alert level
              0x40        // Handshake failure alert
            ]);
            try {
              socket.write(alertData);
            } catch (err) {
              // Ignore write errors, we're closing anyway
            }
            if (record.incomingTerminationReason === null) {
              record.incomingTerminationReason = 'session_ticket_blocked_no_sni';
              this.connectionManager.incrementTerminationStat('incoming', 'session_ticket_blocked_no_sni');
            }
            // Add a small delay before ending to allow alert to be sent
            setTimeout(() => {
              socket.end();
              this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
            }, 50);
            return;
          }
-          // Save domain config and SNI in connection record
+            // Use domain-specific NetworkProxy port if configured
-          const domainConfig = this.domainConfigManager.findDomainConfig(serverName);
+            if (domainConfig && this.domainConfigManager.shouldUseNetworkProxy(domainConfig)) {
-          record.domainConfig = domainConfig;
+              const networkProxyPort = this.domainConfigManager.getNetworkProxyPort(domainConfig);
          record.lockedDomain = serverName;
-          // Use domain-specific NetworkProxy port if configured
+              if (this.settings.enableDetailedLogging) {
-          if (domainConfig && this.domainConfigManager.shouldUseNetworkProxy(domainConfig)) {
+                console.log(
-            const networkProxyPort = this.domainConfigManager.getNetworkProxyPort(domainConfig);
+                  `[${connectionId}] Using domain-specific NetworkProxy for ${serverName} on port ${networkProxyPort}`
                );
              }
-            if (this.settings.enableDetailedLogging) {
+              // Forward to NetworkProxy with domain-specific port
-              console.log(
+              this.networkProxyBridge.forwardToNetworkProxy(
-                `[${connectionId}] Using domain-specific NetworkProxy for ${serverName} on port ${networkProxyPort}`
+                connectionId,
                socket,
                record,
                chunk,
                networkProxyPort,
                (reason) => this.connectionManager.initiateCleanupOnce(record, reason)
              );
              return;
            }
-
+          } else if (
-            // Forward to NetworkProxy with domain-specific port
+            this.settings.allowSessionTicket === false &&
-            this.networkProxyBridge.forwardToNetworkProxy(
+            this.settings.enableDetailedLogging
-              connectionId,
+          ) {
-              socket,
+            // Log that we're allowing a session resumption without SNI for NetworkProxy
-              record,
+            console.log(
-              chunk,
+              `[${connectionId}] Allowing session resumption without SNI for NetworkProxy forwarding`
              networkProxyPort,
              (reason) => this.connectionManager.initiateCleanupOnce(record, reason)
            );
            return;
          }
        }
@ -250,14 +230,10 @@ export class ConnectionHandler {
        );
      } else {
        // If not TLS, use normal direct connection
-        console.log(`[${connectionId}] Non-TLS connection on NetworkProxy port ${record.localPort}`);
+        console.log(
-        this.setupDirectConnection(
+          `[${connectionId}] Non-TLS connection on NetworkProxy port ${record.localPort}`
          socket,
          record,
          undefined,
          undefined,
          chunk
        );
        this.setupDirectConnection(socket, record, undefined, undefined, chunk);
      }
    });
  }
@ -290,7 +266,7 @@ export class ConnectionHandler {
          console.log(
            `[${connectionId}] Initial data warning (${this.settings.initialDataTimeout}ms) for connection from ${record.remoteIP}`
          );
-          
+
          // Add a grace period instead of immediate termination
          setTimeout(() => {
            if (!initialDataReceived) {
@ -375,14 +351,13 @@ export class ConnectionHandler {
      record.domainConfig = domainConfig;
      // Check if this domain should use NetworkProxy (domain-specific setting)
-      if (domainConfig && 
+      if (
-          this.domainConfigManager.shouldUseNetworkProxy(domainConfig) && 
+        domainConfig &&
-          this.networkProxyBridge.getNetworkProxy()) {
+        this.domainConfigManager.shouldUseNetworkProxy(domainConfig) &&
-        
+        this.networkProxyBridge.getNetworkProxy()
      ) {
        if (this.settings.enableDetailedLogging) {
-          console.log(
+          console.log(`[${connectionId}] Domain ${serverName} is configured to use NetworkProxy`);
            `[${connectionId}] Domain ${serverName} is configured to use NetworkProxy`
          );
        }
        const networkProxyPort = this.domainConfigManager.getNetworkProxyPort(domainConfig);
@ -404,23 +379,24 @@ export class ConnectionHandler {
      // IP validation
      if (domainConfig) {
        const ipRules = this.domainConfigManager.getEffectiveIPRules(domainConfig);
-        
+
        // Skip IP validation if allowedIPs is empty
        if (
          domainConfig.allowedIPs.length > 0 &&
-          !this.securityManager.isIPAuthorized(record.remoteIP, ipRules.allowedIPs, ipRules.blockedIPs)
+          !this.securityManager.isIPAuthorized(
            record.remoteIP,
            ipRules.allowedIPs,
            ipRules.blockedIPs
          )
        ) {
          return rejectIncomingConnection(
            'rejected',
-            `Connection rejected: IP ${record.remoteIP} not allowed for domain ${domainConfig.domains.join(
+            `Connection rejected: IP ${
-              ', '
+              record.remoteIP
-            )}`
+            } not allowed for domain ${domainConfig.domains.join(', ')}`
          );
        }
-      } else if (
+      } else if (this.settings.defaultAllowedIPs && this.settings.defaultAllowedIPs.length > 0) {
        this.settings.defaultAllowedIPs &&
        this.settings.defaultAllowedIPs.length > 0
      ) {
        if (
          !this.securityManager.isIPAuthorized(
            record.remoteIP,
@ -487,28 +463,36 @@ export class ConnectionHandler {
      } else {
        // Attempt to find a matching forced domain config based on the local port.
        const forcedDomain = this.domainConfigManager.findDomainConfigForPort(localPort);
-        
+
        if (forcedDomain) {
          const ipRules = this.domainConfigManager.getEffectiveIPRules(forcedDomain);
-          
+
-          if (!this.securityManager.isIPAuthorized(record.remoteIP, ipRules.allowedIPs, ipRules.blockedIPs)) {
+          if (
            !this.securityManager.isIPAuthorized(
              record.remoteIP,
              ipRules.allowedIPs,
              ipRules.blockedIPs
            )
          ) {
            console.log(
-              `[${connectionId}] Connection from ${record.remoteIP} rejected: IP not allowed for domain ${forcedDomain.domains.join(
+              `[${connectionId}] Connection from ${
                record.remoteIP
              } rejected: IP not allowed for domain ${forcedDomain.domains.join(
                ', '
              )} on port ${localPort}.`
            );
            socket.end();
            return;
          }
-          
+
          if (this.settings.enableDetailedLogging) {
            console.log(
-              `[${connectionId}] Port-based connection from ${record.remoteIP} on port ${localPort} matched domain ${forcedDomain.domains.join(
+              `[${connectionId}] Port-based connection from ${
-                ', '
+                record.remoteIP
-              )}.`
+              } on port ${localPort} matched domain ${forcedDomain.domains.join(', ')}.`
            );
          }
-          
+
          setupConnection('', undefined, forcedDomain, localPort);
          return;
        }
@ -526,14 +510,14 @@ export class ConnectionHandler {
          clearTimeout(initialTimeout);
          initialTimeout = null;
        }
-        
+
        initialDataReceived = true;
-        
+
        // Block non-TLS connections on port 443
        if (!this.tlsManager.isTlsHandshake(chunk) && localPort === 443) {
          console.log(
            `[${connectionId}] Non-TLS connection detected on port 443 in SNI handler. ` +
-            `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
+              `Terminating connection - only TLS traffic is allowed on standard HTTPS port.`
          );
          if (record.incomingTerminationReason === null) {
            record.incomingTerminationReason = 'non_tls_blocked';
@ -566,45 +550,131 @@ export class ConnectionHandler {
          // Extract SNI
          serverName = this.tlsManager.extractSNI(chunk, connInfo) || '';
-          
+
          // If allowSessionTicket is false and this is a ClientHello with no SNI, terminate the connection
-          if (this.settings.allowSessionTicket === false && 
+          if (
-              this.tlsManager.isClientHello(chunk) && 
+            this.settings.allowSessionTicket === false &&
-              !serverName) {
+            this.tlsManager.isClientHello(chunk) &&
-            
+            !serverName
          ) {
            // Always block ClientHello without SNI when allowSessionTicket is false
            // Don't even check for session resumption - be strict
            console.log(
              `[${connectionId}] No SNI detected in ClientHello and allowSessionTicket=false. ` +
-              `Terminating connection to force new TLS handshake with SNI.`
+                `Sending unrecognized_name alert to encourage client to retry with SNI.`
            );
-            
+
-            // Send a proper TLS alert before ending the connection
+            // Set the termination reason first to avoid races
            const alertData = Buffer.from([
              0x15,       // Alert record type
              0x03, 0x03, // TLS 1.2 version
              0x00, 0x02, // Length
              0x02,       // Fatal alert level
              0x40        // Handshake failure alert
            ]);
            try {
              socket.write(alertData);
            } catch (err) {
              // Ignore write errors, we're closing anyway
            }
            if (record.incomingTerminationReason === null) {
              record.incomingTerminationReason = 'session_ticket_blocked_no_sni';
-              this.connectionManager.incrementTerminationStat('incoming', 'session_ticket_blocked_no_sni');
+              this.connectionManager.incrementTerminationStat(
                'incoming',
                'session_ticket_blocked_no_sni'
              );
            }
-            
+
-            // Add a small delay before ending to allow alert to be sent
+            // Send a proper TLS alert before ending the connection
-            setTimeout(() => {
+            // Using "unrecognized_name" (112) alert which is a warning level alert (1)
            // that encourages clients to retry with proper SNI
            const alertData = Buffer.from([
              0x15, // Alert record type
              0x03,
              0x03, // TLS 1.2 version
              0x00,
              0x02, // Length
              0x01, // Warning alert level (not fatal)
              0x70, // unrecognized_name alert (code 112)
            ]);
            try {
              // Make sure the alert is sent as a single packet
              socket.cork();
              socket.write(alertData);
              socket.uncork();
              // Set a longer timeout to allow the client to properly handle the alert
              // The client might respond by closing the connection or initiating a new handshake
              const alertTimeout = setTimeout(() => {
                if (!socket.destroyed) {
                  console.log(`[${connectionId}] Client didn't respond to TLS alert, closing connection gracefully.`);
                  // Gracefully end the connection
                  socket.end();
                  // Only destroy after a delay if it's still hanging
                  setTimeout(() => {
                    if (!socket.destroyed) {
                      console.log(`[${connectionId}] Forcibly closing connection that didn't terminate properly.`);
                      socket.destroy();
                    }
                    this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
                  }, 2000);
                }
              }, 5000); // Give the client 5 seconds to respond to our alert
              // Don't let this timeout keep the process alive
              if (alertTimeout.unref) {
                alertTimeout.unref();
              }
              // Handle a proper close from the client
              socket.once('close', () => {
                clearTimeout(alertTimeout);
                console.log(`[${connectionId}] Client closed connection after receiving TLS alert.`);
                this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni_client_closed');
              });
              // Also handle if the client sends more data (possibly a new handshake with SNI)
              socket.once('data', (newChunk) => {
                clearTimeout(alertTimeout);
                console.log(`[${connectionId}] Client sent new data after TLS alert, checking for SNI...`);
                // This would normally be handled by our renegotiation handler,
                // but since we're in a special case, we'll check for SNI again
                if (this.tlsManager.isTlsHandshake(newChunk) && this.tlsManager.isClientHello(newChunk)) {
                  const newServerName = this.tlsManager.extractSNI(newChunk, connInfo);
                  if (newServerName) {
                    console.log(`[${connectionId}] Client provided SNI in new handshake: ${newServerName}`);
                    // Update the record
                    record.incomingTerminationReason = null;
                    // Remove termination stats increment
                    // Note: This is a little hacky as we don't have a proper way to decrement stats
                    // Process the new handshake with SNI
                    record.lockedDomain = newServerName;
                    setupConnection(newServerName, newChunk);
                    return;
                  } else {
                    console.log(`[${connectionId}] Client sent new handshake but still without SNI, closing connection.`);
                    socket.end();
                    setTimeout(() => {
                      if (!socket.destroyed) {
                        socket.destroy();
                      }
                      this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni_retry_failed');
                    }, 500);
                  }
                } else {
                  console.log(`[${connectionId}] Client sent non-handshake data after TLS alert, closing connection.`);
                  socket.end();
                  setTimeout(() => {
                    if (!socket.destroyed) {
                      socket.destroy();
                    }
                    this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_invalid_response');
                  }, 500);
                }
              });
            } catch (err) {
              // If we can't send the alert, fall back to immediate termination
              console.log(`[${connectionId}] Error sending TLS alert: ${err.message}`);
              socket.end();
              this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
-            }, 50);
+            }
-            
+
            return;
          }
        }
@ -653,23 +723,21 @@ export class ConnectionHandler {
    overridePort?: number
  ): void {
    const connectionId = record.id;
-    
+
    // Determine target host
-    const targetHost = domainConfig 
+    const targetHost = domainConfig
-      ? this.domainConfigManager.getTargetIP(domainConfig) 
+      ? this.domainConfigManager.getTargetIP(domainConfig)
      : this.settings.targetIP!;
-    
+
    // Determine target port
-    const targetPort = overridePort !== undefined 
+    const targetPort = overridePort !== undefined ? overridePort : this.settings.toPort;
-      ? overridePort 
+
      : this.settings.toPort;
    // Setup connection options
    const connectionOptions: plugins.net.NetConnectOpts = {
      host: targetHost,
      port: targetPort,
    };
-    
+
    // Preserve source IP if configured
    if (this.settings.preserveSourceIP) {
      connectionOptions.localAddress = record.remoteIP.replace('::ffff:', '');
@ -926,18 +994,20 @@ export class ConnectionHandler {
      // Process any remaining data in the queue before switching to piping
      processDataQueue();
-      
+
      // Set up piping immediately
      pipingEstablished = true;
-      
+
      // Flush all pending data to target
      if (record.pendingData.length > 0) {
        const combinedData = Buffer.concat(record.pendingData);
-        
+
        if (this.settings.enableDetailedLogging) {
-          console.log(`[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`);
+          console.log(
            `[${connectionId}] Forwarding ${combinedData.length} bytes of initial data to target`
          );
        }
-        
+
        // Write pending data immediately
        targetSocket.write(combinedData, (err) => {
          if (err) {
@ -945,19 +1015,19 @@ export class ConnectionHandler {
            return this.connectionManager.initiateCleanupOnce(record, 'write_error');
          }
        });
-        
+
        // Clear the buffer now that we've processed it
        record.pendingData = [];
        record.pendingDataSize = 0;
      }
-      
+
      // Setup piping in both directions without any delays
      socket.pipe(targetSocket);
      targetSocket.pipe(socket);
-      
+
      // Resume the socket to ensure data flows
      socket.resume();
-      
+
      // Process any data that might be queued in the interim
      if (dataQueue.length > 0) {
        // Write any remaining queued data directly to the target socket
@ -968,7 +1038,7 @@ export class ConnectionHandler {
        dataQueue.length = 0;
        queueSize = 0;
      }
-      
+
      if (this.settings.enableDetailedLogging) {
        console.log(
          `[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
@ -1033,15 +1103,12 @@ export class ConnectionHandler {
      }
      // Set connection timeout
-      record.cleanupTimer = this.timeoutManager.setupConnectionTimeout(
+      record.cleanupTimer = this.timeoutManager.setupConnectionTimeout(record, (record, reason) => {
-        record,
+        console.log(
-        (record, reason) => {
+          `[${connectionId}] Connection from ${record.remoteIP} exceeded max lifetime, forcing cleanup.`
-          console.log(
+        );
-            `[${connectionId}] Connection from ${record.remoteIP} exceeded max lifetime, forcing cleanup.`
+        this.connectionManager.initiateCleanupOnce(record, reason);
-          );
+      });
          this.connectionManager.initiateCleanupOnce(record, reason);
        }
      );
      // Mark TLS handshake as complete for TLS connections
      if (record.isTLS) {
Author	SHA1	Message	Date
Philipp Kunz	efbb4335d7	4.1.5 Some checks failed Default (tags) / security (push) Successful in 38s Details Default (tags) / test (push) Failing after 59s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-16 13:19:37 +00:00
Philipp Kunz	9dd402054d	fix(TLS/ConnectionHandler): Improve handling of TLS session resumption without SNI by sending an unrecognized_name alert instead of immediately terminating the connection. This change adds a grace period for the client to retry the handshake with proper SNI and cleans up the connection if no valid response is received.	2025-03-16 13:19:37 +00:00
Philipp Kunz	6c1efc1dc0	4.1.4 Some checks failed Default (tags) / security (push) Successful in 29s Details Default (tags) / test (push) Failing after 1m0s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-15 19:10:54 +00:00
Philipp Kunz	cad0e6a2b2	fix(ConnectionHandler): Refactor ConnectionHandler code formatting for improved readability and consistency in log messages and whitespace handling	2025-03-15 19:10:54 +00:00
Philipp Kunz	794e1292e5	4.1.3 Some checks failed Default (tags) / security (push) Successful in 38s Details Default (tags) / test (push) Failing after 1m0s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-15 18:51:50 +00:00
Philipp Kunz	ee79f9ab7c	fix(connectionhandler): Improve handling of TLS ClientHello messages when allowSessionTicket is disabled and no SNI is provided by sending a warning alert (unrecognized_name, code 0x70) with a proper callback and delay to ensure the alert is transmitted before closing the connection.	2025-03-15 18:51:50 +00:00