Increase sizes of bufs used in ClientHello parsing

sonertari · sonertari · commit 30b321529dfd · 2025-10-27T20:45:40.000+03:00
as a defensive measure against modern TLS handshake sizes. suggested by @dpward in droe/sslsplit#342
diff --git a/src/protoautossl.c b/src/protoautossl.c
@@ -258,7 +258,7 @@ protoautossl_peek_and_upgrade(pxy_conn_ctx_t *ctx)
 
 	/* peek the buffer */
 	inbuf = bufferevent_get_input(ctx->src.bev);
-	if (evbuffer_peek(inbuf, 2048, 0, vec_out, 1)) {
+	if (evbuffer_peek(inbuf, 4096, 0, vec_out, 1)) {
 		if (ssl_tls_clienthello_parse(vec_out[0].iov_base, vec_out[0].iov_len, 0, &chello, &ctx->sslctx->sni) == 0) {
 			if (OPTS_DEBUG(ctx->global)) {
 				log_dbg_printf("Peek found ClientHello\n");
diff --git a/src/protossl.c b/src/protossl.c
@@ -1354,7 +1354,7 @@ protossl_fd_readcb(evutil_socket_t fd, UNUSED short what, void *arg)
 	// Child connections will use the sni info obtained by the parent conn
 	/* for SSL, peek ClientHello and parse SNI from it */
 
-	unsigned char buf[2048];
+	unsigned char buf[4096];
 	ssize_t n;
 	const unsigned char *chello;
 	int rv;
