4.1.16

changelog.md

@@ -1,5 +1,63 @@
 # Changelog
 
+## 2025-03-17 - 4.1.16 - fix(tls)
+Improve TLS alert handling in connection handler: use the new TlsAlert class to send proper unrecognized_name alerts when a ClientHello is missing SNI and wait for a retry on the same connection before closing. Also, add alertFallbackTimeout tracking to connection records for better timeout management.
+
+- Replaced hardcoded alert buffers in ConnectionHandler with calls to the TlsAlert class.
+- Removed old warnings and implemented a mechanism to remove existing 'data' listeners and await a new ClientHello.
+- Introduced alertFallbackTimeout property in connection records to track fallback timeout and ensure proper cleanup.
+- Extended the delay before closing the connection after sending an alert, providing the client more time to retry.
+
+## 2025-03-17 - 4.1.15 - fix(connectionhandler)
+Delay socket termination in TLS session resumption handling to allow proper alert processing
+
+- Removed the immediate socket.end() call in finishConnection and moved it inside the setTimeout, ensuring that clients (especially Chrome) have additional time to process the TLS alert before connection termination
+- This prevents premature socket closure on ClientHello without SNI when session tickets are disallowed
+
+## 2025-03-17 - 4.1.14 - fix(ConnectionHandler)
+Use the correct TLS alert data and increase the delay before socket termination when session resumption without SNI is detected.
+
+- Replaced certificateExpiredAlert with serverNameUnknownAlertData for sending the appropriate alert.
+- Increased the cleanup delay from 1000ms to 5000ms to allow a more graceful termination.
+
+## 2025-03-17 - 4.1.13 - fix(tls-handshake)
+Set certificate_expired TLS alert level to warning instead of fatal to allow graceful termination.
+
+- In the TLS handshake alert for certificate_expired (0x2F), changed the alert level from 0x02 (fatal) to 0x01 (warning).
+- This change avoids abrupt connection termination, enabling a smoother handling of certificate expiration alerts.
+
+## 2025-03-17 - 4.1.12 - fix(classes.pp.connectionhandler)
+Replace unrecognized_name alert data with certificate_expired alert in TLS handshake handling for session resumption without SNI
+
+- Switched the alert payload from serverNameUnknownAlertData to a new certificateExpiredAlert buffer
+- Now sends a fatal certificate_expired alert (code 47) instead of a warning unrecognized_name alert
+- Improves TLS error reporting and encourages immediate disconnection when a ClientHello lacks SNI and session tickets are disallowed
+
+## 2025-03-17 - 4.1.11 - fix(connectionhandler)
+Increase delay before cleaning up connections when session resumption is blocked due to missing SNI, allowing more natural socket termination.
+
+- Changed cleanup delay in ts/classes.pp.connectionhandler.ts from 300ms to 1000ms.
+- This fix ensures that sockets get sufficient time to terminate gracefully.
+
+## 2025-03-16 - 4.1.10 - fix(connectionhandler)
+Increase delay timings for TLS alert transmission in session ticket blocking to allow graceful socket termination
+
+- Updated finishConnection: replaced immediate socket.destroy with a graceful end call
+- Increased delay after successful write from 50ms to 200ms to allow alert processing
+- Raised safety timeout from 250ms to 400ms when waiting for 'drain' event
+
+## 2025-03-16 - 4.1.9 - fix(ConnectionHandler)
+Replace closeNotify alert with handshake failure alert in TLS ClientHello handling to properly signal missing SNI and enforce session ticket restrictions.
+
+- Switched alert data sent on missing SNI from closeNotifyAlert to sslHandshakeFailureAlertData.
+- Ensures consistent TLS alert behavior during handshake failure.
+
+## 2025-03-16 - 4.1.8 - fix(ConnectionHandler/tls)
+Change the TLS alert sent when a ClientHello lacks SNI: use the close_notify alert instead of handshake_failure to prompt immediate retry with SNI.
+
+- Replaced the previously sent handshake_failure alert (code 0x28) with a close_notify alert (code 0x00) in the TLS session resumption handling in ConnectionHandler.
+- This change encourages clients to immediately retry and include SNI when allowSessionTicket is false.
+
 ## 2025-03-16 - 4.1.7 - fix(classes.pp.connectionhandler)
 Improve TLS alert handling in ClientHello when SNI is missing and session tickets are disallowed
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "4.1.7",
+  "version": "4.1.16",
   "private": false,
   "description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '4.1.7',
+  version: '4.1.16',
   description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
 }

ts/classes.pp.connectionhandler.ts

@@ -11,6 +11,7 @@ import { TlsManager } from './classes.pp.tlsmanager.js';
 import { NetworkProxyBridge } from './classes.pp.networkproxybridge.js';
 import { TimeoutManager } from './classes.pp.timeoutmanager.js';
 import { PortRangeManager } from './classes.pp.portrangemanager.js';
+import { TlsAlert } from './classes.pp.tlsalert.js';
 
 /**
  * Handles new connection processing and setup logic
@@ -560,10 +561,52 @@ export class ConnectionHandler {
             // Block ClientHello without SNI when allowSessionTicket is false
             console.log(
               `[${connectionId}] No SNI detected in ClientHello and allowSessionTicket=false. ` +
-                `Sending warning unrecognized_name alert to encourage immediate retry with SNI.`
+                `Sending unrecognized_name alert to encourage immediate retry with SNI on same connection.`
             );
 
-            // Set the termination reason first
+            try {
+              // Send the alert but do NOT end the connection
+              // Using our new TlsAlert class for better alert management
+              socket.cork();
+              socket.write(TlsAlert.alerts.unrecognizedName);
+              socket.uncork();
+
+              console.log(
+                `[${connectionId}] Alert sent, waiting for new ClientHello on same connection...`
+              );
+
+              // Remove existing data listener and wait for a new ClientHello
+              socket.removeAllListeners('data');
+
+              // Set up a new data handler to capture the next message
+              socket.once('data', (retryChunk) => {
+                // Cancel the fallback timeout as we received data
+                if (record.alertFallbackTimeout) {
+                  clearTimeout(record.alertFallbackTimeout);
+                  record.alertFallbackTimeout = null;
+                }
+
+                // Check if this is a new ClientHello
+                if (this.tlsManager.isClientHello(retryChunk)) {
+                  console.log(`[${connectionId}] Received new ClientHello after alert`);
+
+                  // Extract SNI from the new ClientHello
+                  const newServerName = this.tlsManager.extractSNI(retryChunk, connInfo) || '';
+
+                  if (newServerName) {
+                    console.log(`[${connectionId}] New ClientHello contains SNI: ${newServerName}`);
+
+                    // Update the record with the new SNI
+                    record.lockedDomain = newServerName;
+
+                    // Continue with normal connection setup using the new chunk with SNI
+                    setupConnection(newServerName, retryChunk);
+                  } else {
+                    console.log(
+                      `[${connectionId}] New ClientHello still missing SNI, closing connection`
+                    );
+
+                    // If still no SNI after retry, now we can close the connection
                     if (record.incomingTerminationReason === null) {
                       record.incomingTerminationReason = 'session_ticket_blocked_no_sni';
                       this.connectionManager.incrementTerminationStat(
@@ -572,66 +615,71 @@ export class ConnectionHandler {
                       );
                     }
 
-            // Create a warning-level alert for unrecognized_name
+                    // Send a close_notify alert before ending the connection
-            // This encourages Chrome to retry immediately with SNI
+                    TlsAlert.sendCloseNotify(socket)
-            const serverNameUnknownAlertData = Buffer.from([
+                      .catch((err) => {
-              0x15, // Alert record type
+                        console.log(`[${connectionId}] Error sending close_notify: ${err.message}`);
-              0x03,
+                      })
-              0x03, // TLS 1.2 version
+                      .finally(() => {
-              0x00,
+                        // Clean up even if sending the alert fails
-              0x02, // Length
+                        this.connectionManager.cleanupConnection(
-              0x01, // Warning alert level (not fatal)
+                          record,
-              0x70, // unrecognized_name alert (code 112)
+                          'session_ticket_blocked_no_sni'
-            ]);
+                        );
-
+                      });
-            // Send a handshake_failure alert instead of unrecognized_name
-            const sslHandshakeFailureAlertData = Buffer.from([
-              0x15, // Alert record type
-              0x03,
-              0x03, // TLS 1.2 version
-              0x00,
-              0x02, // Length
-              0x01, // Warning alert level (not fatal)
-              0x28, // handshake_failure alert (40) instead of unrecognized_name (112)
-            ]);
-
-            try {
-              // Use cork/uncork to ensure the alert is sent as a single packet
-              socket.cork();
-              const writeSuccessful = socket.write(sslHandshakeFailureAlertData);
-              socket.uncork();
-
-              // Function to handle the clean socket termination
-              const finishConnection = () => {
-                // First call end() to initiate a graceful close (sends FIN)
-                socket.end();
-
-                // Allow a short delay for the alert and FIN to be transmitted
-                // before we fully close the socket
-                setTimeout(() => {
-                  if (!socket.destroyed) {
-                    socket.destroy();
                   }
-                  this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
-                }, 150); // Short delay, but longer than the standard TCP ACK timeout
-              };
-
-              if (writeSuccessful) {
-                // If the data was successfully written to the kernel buffer,
-                // we can finish the connection after a short delay to ensure transmission
-                setTimeout(finishConnection, 50);
                 } else {
-                // If the kernel buffer was full, wait for the drain event
+                  console.log(
-                socket.once('drain', () => {
+                    `[${connectionId}] Received non-ClientHello data after alert, closing connection`
-                  setTimeout(finishConnection, 50);
+                  );
+
+                  // If we got something other than a ClientHello, close the connection
+                  if (record.incomingTerminationReason === null) {
+                    record.incomingTerminationReason = 'invalid_protocol';
+                    this.connectionManager.incrementTerminationStat('incoming', 'invalid_protocol');
+                  }
+
+                  // Send a protocol_version alert before ending the connection
+                  TlsAlert.send(socket, TlsAlert.LEVEL_FATAL, TlsAlert.PROTOCOL_VERSION, true)
+                    .catch((err) => {
+                      console.log(
+                        `[${connectionId}] Error sending protocol_version alert: ${err.message}`
+                      );
+                    })
+                    .finally(() => {
+                      // Clean up even if sending the alert fails
+                      this.connectionManager.cleanupConnection(record, 'invalid_protocol');
+                    });
+                }
               });
 
-                // Set a safety timeout in case drain never happens
+              // Set a fallback timeout in case the client doesn't respond
-                setTimeout(() => {
+              const fallbackTimeout = setTimeout(() => {
-                  socket.removeAllListeners('drain');
+                console.log(`[${connectionId}] No response after alert, closing connection`);
-                  finishConnection();
+
-                }, 250);
+                if (record.incomingTerminationReason === null) {
+                  record.incomingTerminationReason = 'alert_timeout';
+                  this.connectionManager.incrementTerminationStat('incoming', 'alert_timeout');
                 }
+
+                // Send a close_notify alert before ending the connection
+                TlsAlert.sendCloseNotify(socket)
+                  .catch((err) => {
+                    console.log(`[${connectionId}] Error sending close_notify: ${err.message}`);
+                  })
+                  .finally(() => {
+                    // Clean up even if sending the alert fails
+                    this.connectionManager.cleanupConnection(record, 'alert_timeout');
+                  });
+              }, 10000); // 10 second timeout
+
+              // Make sure the timeout doesn't keep the process alive
+              if (fallbackTimeout.unref) {
+                fallbackTimeout.unref();
+              }
+
+              // Store the timeout in the record so it can be cleared during cleanup
+              record.alertFallbackTimeout = fallbackTimeout;
             } catch (err) {
               // If we can't send the alert, fall back to immediate termination
               console.log(`[${connectionId}] Error sending TLS alert: ${err.message}`);
@@ -639,6 +687,7 @@ export class ConnectionHandler {
               this.connectionManager.cleanupConnection(record, 'session_ticket_blocked_no_sni');
             }
 
+            // Return early to prevent the normal flow
             return;
           }
         }

ts/classes.pp.interfaces.ts

@@ -104,6 +104,7 @@ export interface IConnectionRecord {
   lockedDomain?: string; // Used to lock this connection to the initial SNI
   connectionClosed: boolean; // Flag to prevent multiple cleanup attempts
   cleanupTimer?: NodeJS.Timeout; // Timer for max lifetime/inactivity
+  alertFallbackTimeout?: NodeJS.Timeout; // Timer for fallback after alert
   lastActivity: number; // Last activity timestamp for inactivity detection
   pendingData: Buffer[]; // Buffer to hold data during connection setup
   pendingDataSize: number; // Track total size of pending data

ts/classes.pp.tlsalert.ts

@@ -0,0 +1,218 @@
+import * as net from 'net';
+
+/**
+ * TlsAlert class for managing TLS alert messages
+ */
+export class TlsAlert {
+  // TLS Alert Levels
+  static readonly LEVEL_WARNING = 0x01;
+  static readonly LEVEL_FATAL = 0x02;
+  
+  // TLS Alert Description Codes - RFC 8446 (TLS 1.3) / RFC 5246 (TLS 1.2)
+  static readonly CLOSE_NOTIFY = 0x00;
+  static readonly UNEXPECTED_MESSAGE = 0x0A;
+  static readonly BAD_RECORD_MAC = 0x14;
+  static readonly DECRYPTION_FAILED = 0x15; // TLS 1.0 only
+  static readonly RECORD_OVERFLOW = 0x16;
+  static readonly DECOMPRESSION_FAILURE = 0x1E; // TLS 1.2 and below
+  static readonly HANDSHAKE_FAILURE = 0x28;
+  static readonly NO_CERTIFICATE = 0x29; // SSLv3 only
+  static readonly BAD_CERTIFICATE = 0x2A;
+  static readonly UNSUPPORTED_CERTIFICATE = 0x2B;
+  static readonly CERTIFICATE_REVOKED = 0x2C;
+  static readonly CERTIFICATE_EXPIRED = 0x2F;
+  static readonly CERTIFICATE_UNKNOWN = 0x30;
+  static readonly ILLEGAL_PARAMETER = 0x2F;
+  static readonly UNKNOWN_CA = 0x30;
+  static readonly ACCESS_DENIED = 0x31;
+  static readonly DECODE_ERROR = 0x32;
+  static readonly DECRYPT_ERROR = 0x33;
+  static readonly EXPORT_RESTRICTION = 0x3C; // TLS 1.0 only
+  static readonly PROTOCOL_VERSION = 0x46;
+  static readonly INSUFFICIENT_SECURITY = 0x47;
+  static readonly INTERNAL_ERROR = 0x50;
+  static readonly INAPPROPRIATE_FALLBACK = 0x56;
+  static readonly USER_CANCELED = 0x5A;
+  static readonly NO_RENEGOTIATION = 0x64; // TLS 1.2 and below
+  static readonly MISSING_EXTENSION = 0x6D; // TLS 1.3
+  static readonly UNSUPPORTED_EXTENSION = 0x6E; // TLS 1.3
+  static readonly CERTIFICATE_REQUIRED = 0x6F; // TLS 1.3
+  static readonly UNRECOGNIZED_NAME = 0x70;
+  static readonly BAD_CERTIFICATE_STATUS_RESPONSE = 0x71;
+  static readonly BAD_CERTIFICATE_HASH_VALUE = 0x72; // TLS 1.2 and below
+  static readonly UNKNOWN_PSK_IDENTITY = 0x73;
+  static readonly CERTIFICATE_REQUIRED_1_3 = 0x74; // TLS 1.3
+  static readonly NO_APPLICATION_PROTOCOL = 0x78;
+  
+  /**
+   * Create a TLS alert buffer with the specified level and description code
+   * 
+   * @param level Alert level (warning or fatal)
+   * @param description Alert description code
+   * @param tlsVersion TLS version bytes (default is TLS 1.2: 0x0303)
+   * @returns Buffer containing the TLS alert message
+   */
+  static create(
+    level: number,
+    description: number,
+    tlsVersion: [number, number] = [0x03, 0x03]
+  ): Buffer {
+    return Buffer.from([
+      0x15, // Alert record type
+      tlsVersion[0],
+      tlsVersion[1], // TLS version (default to TLS 1.2: 0x0303)
+      0x00,
+      0x02, // Length
+      level, // Alert level
+      description, // Alert description
+    ]);
+  }
+  
+  /**
+   * Create a warning-level TLS alert
+   * 
+   * @param description Alert description code
+   * @returns Buffer containing the warning-level TLS alert message
+   */
+  static createWarning(description: number): Buffer {
+    return this.create(this.LEVEL_WARNING, description);
+  }
+  
+  /**
+   * Create a fatal-level TLS alert
+   * 
+   * @param description Alert description code
+   * @returns Buffer containing the fatal-level TLS alert message
+   */
+  static createFatal(description: number): Buffer {
+    return this.create(this.LEVEL_FATAL, description);
+  }
+  
+  /**
+   * Send a TLS alert to a socket and optionally close the connection
+   * 
+   * @param socket The socket to send the alert to
+   * @param level Alert level (warning or fatal)
+   * @param description Alert description code
+   * @param closeAfterSend Whether to close the connection after sending the alert
+   * @param closeDelay Milliseconds to wait before closing the connection (default: 200ms)
+   * @returns Promise that resolves when the alert has been sent
+   */
+  static async send(
+    socket: net.Socket,
+    level: number,
+    description: number,
+    closeAfterSend: boolean = false,
+    closeDelay: number = 200
+  ): Promise<void> {
+    const alert = this.create(level, description);
+    
+    return new Promise<void>((resolve, reject) => {
+      try {
+        // Ensure the alert is written as a single packet
+        socket.cork();
+        const writeSuccessful = socket.write(alert, (err) => {
+          if (err) {
+            reject(err);
+            return;
+          }
+          
+          if (closeAfterSend) {
+            setTimeout(() => {
+              socket.end();
+              resolve();
+            }, closeDelay);
+          } else {
+            resolve();
+          }
+        });
+        socket.uncork();
+        
+        // If write wasn't successful immediately, wait for drain
+        if (!writeSuccessful && !closeAfterSend) {
+          socket.once('drain', () => {
+            resolve();
+          });
+        }
+      } catch (err) {
+        reject(err);
+      }
+    });
+  }
+  
+  /**
+   * Pre-defined TLS alert messages
+   */
+  static readonly alerts = {
+    // Warning level alerts
+    closeNotify: TlsAlert.createWarning(TlsAlert.CLOSE_NOTIFY),
+    unsupportedExtension: TlsAlert.createWarning(TlsAlert.UNSUPPORTED_EXTENSION),
+    certificateRequired: TlsAlert.createWarning(TlsAlert.CERTIFICATE_REQUIRED),
+    unrecognizedName: TlsAlert.createWarning(TlsAlert.UNRECOGNIZED_NAME),
+    noRenegotiation: TlsAlert.createWarning(TlsAlert.NO_RENEGOTIATION),
+    userCanceled: TlsAlert.createWarning(TlsAlert.USER_CANCELED),
+    
+    // Warning level alerts for session resumption
+    certificateExpiredWarning: TlsAlert.createWarning(TlsAlert.CERTIFICATE_EXPIRED),
+    handshakeFailureWarning: TlsAlert.createWarning(TlsAlert.HANDSHAKE_FAILURE),
+    insufficientSecurityWarning: TlsAlert.createWarning(TlsAlert.INSUFFICIENT_SECURITY),
+    
+    // Fatal level alerts
+    unexpectedMessage: TlsAlert.createFatal(TlsAlert.UNEXPECTED_MESSAGE),
+    badRecordMac: TlsAlert.createFatal(TlsAlert.BAD_RECORD_MAC),
+    recordOverflow: TlsAlert.createFatal(TlsAlert.RECORD_OVERFLOW),
+    handshakeFailure: TlsAlert.createFatal(TlsAlert.HANDSHAKE_FAILURE),
+    badCertificate: TlsAlert.createFatal(TlsAlert.BAD_CERTIFICATE),
+    certificateExpired: TlsAlert.createFatal(TlsAlert.CERTIFICATE_EXPIRED),
+    certificateUnknown: TlsAlert.createFatal(TlsAlert.CERTIFICATE_UNKNOWN),
+    illegalParameter: TlsAlert.createFatal(TlsAlert.ILLEGAL_PARAMETER),
+    unknownCA: TlsAlert.createFatal(TlsAlert.UNKNOWN_CA),
+    accessDenied: TlsAlert.createFatal(TlsAlert.ACCESS_DENIED),
+    decodeError: TlsAlert.createFatal(TlsAlert.DECODE_ERROR),
+    decryptError: TlsAlert.createFatal(TlsAlert.DECRYPT_ERROR),
+    protocolVersion: TlsAlert.createFatal(TlsAlert.PROTOCOL_VERSION),
+    insufficientSecurity: TlsAlert.createFatal(TlsAlert.INSUFFICIENT_SECURITY),
+    internalError: TlsAlert.createFatal(TlsAlert.INTERNAL_ERROR),
+  };
+  
+  /**
+   * Utility method to send a warning-level unrecognized_name alert
+   * Specifically designed for SNI issues to encourage the client to retry with SNI
+   * 
+   * @param socket The socket to send the alert to
+   * @returns Promise that resolves when the alert has been sent
+   */
+  static async sendSniRequired(socket: net.Socket): Promise<void> {
+    return this.send(socket, this.LEVEL_WARNING, this.UNRECOGNIZED_NAME);
+  }
+  
+  /**
+   * Utility method to send a close_notify alert and close the connection
+   * 
+   * @param socket The socket to send the alert to
+   * @param closeDelay Milliseconds to wait before closing the connection (default: 200ms)
+   * @returns Promise that resolves when the alert has been sent and the connection closed
+   */
+  static async sendCloseNotify(socket: net.Socket, closeDelay: number = 200): Promise<void> {
+    return this.send(socket, this.LEVEL_WARNING, this.CLOSE_NOTIFY, true, closeDelay);
+  }
+  
+  /**
+   * Utility method to send a certificate_expired alert to force new TLS session
+   * 
+   * @param socket The socket to send the alert to
+   * @param fatal Whether to send as a fatal alert (default: false)
+   * @param closeAfterSend Whether to close the connection after sending the alert (default: true)
+   * @param closeDelay Milliseconds to wait before closing the connection (default: 200ms)
+   * @returns Promise that resolves when the alert has been sent
+   */
+  static async sendCertificateExpired(
+    socket: net.Socket,
+    fatal: boolean = false,
+    closeAfterSend: boolean = true,
+    closeDelay: number = 200
+  ): Promise<void> {
+    const level = fatal ? this.LEVEL_FATAL : this.LEVEL_WARNING;
+    return this.send(socket, level, this.CERTIFICATE_EXPIRED, closeAfterSend, closeDelay);
+  }
+}