4.1.11

changelog.md

@@ -1,5 +1,37 @@
 # Changelog
 
+## 2025-03-17 - 4.1.11 - fix(connectionhandler)
+Increase delay before cleaning up connections when session resumption is blocked due to missing SNI, allowing more natural socket termination.
+
+- Changed cleanup delay in ts/classes.pp.connectionhandler.ts from 300ms to 1000ms.
+- This fix ensures that sockets get sufficient time to terminate gracefully.
+
+## 2025-03-16 - 4.1.10 - fix(connectionhandler)
+Increase delay timings for TLS alert transmission in session ticket blocking to allow graceful socket termination
+
+- Updated finishConnection: replaced immediate socket.destroy with a graceful end call
+- Increased delay after successful write from 50ms to 200ms to allow alert processing
+- Raised safety timeout from 250ms to 400ms when waiting for 'drain' event
+
+## 2025-03-16 - 4.1.9 - fix(ConnectionHandler)
+Replace closeNotify alert with handshake failure alert in TLS ClientHello handling to properly signal missing SNI and enforce session ticket restrictions.
+
+- Switched alert data sent on missing SNI from closeNotifyAlert to sslHandshakeFailureAlertData.
+- Ensures consistent TLS alert behavior during handshake failure.
+
+## 2025-03-16 - 4.1.8 - fix(ConnectionHandler/tls)
+Change the TLS alert sent when a ClientHello lacks SNI: use the close_notify alert instead of handshake_failure to prompt immediate retry with SNI.
+
+- Replaced the previously sent handshake_failure alert (code 0x28) with a close_notify alert (code 0x00) in the TLS session resumption handling in ConnectionHandler.
+- This change encourages clients to immediately retry and include SNI when allowSessionTicket is false.
+
+## 2025-03-16 - 4.1.7 - fix(classes.pp.connectionhandler)
+Improve TLS alert handling in ClientHello when SNI is missing and session tickets are disallowed
+
+- Replace the unrecognized_name alert with a handshake_failure alert to ensure better client behavior.
+- Refactor the alert sending mechanism using cork/uncork and add a safety timeout for the drain event.
+- Enhance logging for debugging TLS handshake failures when SNI is absent.
+
 ## 2025-03-16 - 4.1.6 - fix(tls)
 Refine TLS ClientHello handling when allowSessionTicket is false by replacing extensive alert timeout logic with a concise warning alert and short delay, encouraging immediate client retry with proper SNI
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "4.1.6",
+  "version": "4.1.11",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '4.1.6',
+  version: '4.1.11',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }

ts/classes.pp.connectionhandler.ts

@@ -560,9 +560,9 @@ export class ConnectionHandler {
             // Block ClientHello without SNI when allowSessionTicket is false
             console.log(
               `[${connectionId}] No SNI detected in ClientHello and allowSessionTicket=false. ` +
-              `Sending warning unrecognized_name alert to encourage immediate retry with SNI.`
+                `Sending warning unrecognized_name alert to encourage immediate retry with SNI.`
             );
-          
+
             // Set the termination reason first
             if (record.incomingTerminationReason === null) {
               record.incomingTerminationReason = 'session_ticket_blocked_no_sni';
@@ -571,10 +571,10 @@ export class ConnectionHandler {
                 'session_ticket_blocked_no_sni'
               );
             }
-          
+
             // Create a warning-level alert for unrecognized_name
             // This encourages Chrome to retry immediately with SNI
-            const alertData = Buffer.from([
+            const serverNameUnknownAlertData = Buffer.from([
               0x15, // Alert record type
               0x03,
               0x03, // TLS 1.2 version
@@ -583,43 +583,61 @@ export class ConnectionHandler {
               0x01, // Warning alert level (not fatal)
               0x70, // unrecognized_name alert (code 112)
             ]);
-          
+
+            // Send a handshake_failure alert instead of unrecognized_name
+            const sslHandshakeFailureAlertData = Buffer.from([
+              0x15, // Alert record type
+              0x03,
+              0x03, // TLS 1.2 version
+              0x00,
+              0x02, // Length
+              0x01, // Warning alert level (not fatal)
+              0x28, // handshake_failure alert (40) instead of unrecognized_name (112)
+            ]);
+
+            const closeNotifyAlert = Buffer.from([
+              0x15, // Alert record type
+              0x03,
+              0x03, // TLS 1.2 version
+              0x00,
+              0x02, // Length
+              0x01, // Warning alert level (1)
+              0x00, // close_notify alert (0)
+            ]);
+
             try {
               // Use cork/uncork to ensure the alert is sent as a single packet
               socket.cork();
-              const writeSuccessful = socket.write(alertData);
+              const writeSuccessful = socket.write(serverNameUnknownAlertData);
               socket.uncork();
               
-              // Function to handle the clean socket termination
+              // Function to handle the clean socket termination - but more gradually
               const finishConnection = () => {
-                // First call end() to initiate a graceful close (sends FIN)
+                // Give Chrome more time to process the alert before closing
+                // We won't call destroy() at all - just end() and let the socket close naturally
                 socket.end();
                 
-                // Allow a short delay for the alert and FIN to be transmitted
-                // before we fully close the socket
+                // Log the cleanup but wait for natural closure
                 setTimeout(() => {
-                  if (!socket.destroyed) {
-                    socket.destroy();
-                  }
                   this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
-                }, 150); // Short delay, but longer than the standard TCP ACK timeout
+                }, 1000); // Longer delay to let socket cleanup happen naturally
               };
               
               if (writeSuccessful) {
-                // If the data was successfully written to the kernel buffer,
-                // we can finish the connection after a short delay to ensure transmission
-                setTimeout(finishConnection, 50);
+                // Wait longer before ending connection to ensure alert is processed by client
+                setTimeout(finishConnection, 200); // Increased from 50ms to 200ms
               } else {
                 // If the kernel buffer was full, wait for the drain event
                 socket.once('drain', () => {
-                  setTimeout(finishConnection, 50);
+                  // Wait longer after drain as well
+                  setTimeout(finishConnection, 200);
                 });
                 
-                // Set a safety timeout in case drain never happens
+                // Safety timeout is increased too
                 setTimeout(() => {
                   socket.removeAllListeners('drain');
                   finishConnection();
-                }, 250);
+                }, 400); // Increased from 250ms to 400ms
               }
             } catch (err) {
               // If we can't send the alert, fall back to immediate termination
@@ -627,7 +645,7 @@ export class ConnectionHandler {
               socket.end();
               this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
             }
-          
+
             return;
           }
         }
@@ -1075,4 +1093,4 @@ export class ConnectionHandler {
       }
     });
   }
-}
+}