4.1.8

fix(ConnectionHandler/tls): Change the TLS alert sent when a ClientHello lacks SNI: use the close_notify alert instead of handshake_failure to prompt immediate retry with SNI.
4.1.7
2025-03-16 14:02:18 +00:00 · 2025-03-16 14:02:18 +00:00 · 2025-03-16 13:47:34 +00:00 · 2025-03-16 13:47:34 +00:00
4 changed files with 48 additions and 14 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,18 @@
 # Changelog
 ## 2025-03-16 - 4.1.8 - fix(ConnectionHandler/tls)
 Change the TLS alert sent when a ClientHello lacks SNI: use the close_notify alert instead of handshake_failure to prompt immediate retry with SNI.
 - Replaced the previously sent handshake_failure alert (code 0x28) with a close_notify alert (code 0x00) in the TLS session resumption handling in ConnectionHandler.
 - This change encourages clients to immediately retry and include SNI when allowSessionTicket is false.
 ## 2025-03-16 - 4.1.7 - fix(classes.pp.connectionhandler)
 Improve TLS alert handling in ClientHello when SNI is missing and session tickets are disallowed
 - Replace the unrecognized_name alert with a handshake_failure alert to ensure better client behavior.
 - Refactor the alert sending mechanism using cork/uncork and add a safety timeout for the drain event.
 - Enhance logging for debugging TLS handshake failures when SNI is absent.
 ## 2025-03-16 - 4.1.6 - fix(tls)
 Refine TLS ClientHello handling when allowSessionTicket is false by replacing extensive alert timeout logic with a concise warning alert and short delay, encouraging immediate client retry with proper SNI
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "@push.rocks/smartproxy",
-  "version": "4.1.6",
+  "version": "4.1.8",
  "private": false,
  "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
  "main": "dist_ts/index.js",
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@push.rocks/smartproxy',
-  version: '4.1.6',
+  version: '4.1.8',
  description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }
--- a/ts/classes.pp.connectionhandler.ts
+++ b/ts/classes.pp.connectionhandler.ts
@ -560,7 +560,7 @@ export class ConnectionHandler {
            // Block ClientHello without SNI when allowSessionTicket is false
            console.log(
              `[${connectionId}] No SNI detected in ClientHello and allowSessionTicket=false. ` +
-              `Sending warning unrecognized_name alert to encourage immediate retry with SNI.`
+                `Sending warning unrecognized_name alert to encourage immediate retry with SNI.`
            );
            // Set the termination reason first
@ -574,7 +574,7 @@ export class ConnectionHandler {
            // Create a warning-level alert for unrecognized_name
            // This encourages Chrome to retry immediately with SNI
-            const alertData = Buffer.from([
+            const serverNameUnknownAlertData = Buffer.from([
              0x15, // Alert record type
              0x03,
              0x03, // TLS 1.2 version
@ -584,10 +584,31 @@ export class ConnectionHandler {
              0x70, // unrecognized_name alert (code 112)
            ]);
            // Send a handshake_failure alert instead of unrecognized_name
            const sslHandshakeFailureAlertData = Buffer.from([
              0x15, // Alert record type
              0x03,
              0x03, // TLS 1.2 version
              0x00,
              0x02, // Length
              0x01, // Warning alert level (not fatal)
              0x28, // handshake_failure alert (40) instead of unrecognized_name (112)
            ]);
            const closeNotifyAlert = Buffer.from([
              0x15, // Alert record type
              0x03,
              0x03, // TLS 1.2 version
              0x00,
              0x02, // Length
              0x01, // Warning alert level (1)
              0x00, // close_notify alert (0)
            ]);
            try {
              // Use cork/uncork to ensure the alert is sent as a single packet
              socket.cork();
-              const writeSuccessful = socket.write(alertData);
+              const writeSuccessful = socket.write(closeNotifyAlert);
              socket.uncork();
              // Function to handle the clean socket termination
Author	SHA1	Message	Date
Philipp Kunz	d612df107e	4.1.8 Some checks failed Default (tags) / security (push) Successful in 30s Details Default (tags) / test (push) Failing after 1m1s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-16 14:02:18 +00:00
Philipp Kunz	1c34578c36	fix(ConnectionHandler/tls): Change the TLS alert sent when a ClientHello lacks SNI: use the close_notify alert instead of handshake_failure to prompt immediate retry with SNI.	2025-03-16 14:02:18 +00:00
Philipp Kunz	1f9943b5a7	4.1.7 Some checks failed Default (tags) / security (push) Successful in 34s Details Default (tags) / test (push) Failing after 59s Details Default (tags) / release (push) Has been skipped Details Default (tags) / metadata (push) Has been skipped Details	2025-03-16 13:47:34 +00:00
Philipp Kunz	67ddf97547	fix(classes.pp.connectionhandler): Improve TLS alert handling in ClientHello when SNI is missing and session tickets are disallowed	2025-03-16 13:47:34 +00:00