Fix ClientHello parser for TLS 1.3, issue #84

sonertari · sonertari · commit 31478e4c01fa · 2025-05-05T19:05:24.000+03:00
reported by @GhostNaix
diff --git a/src/protoautossl.c b/src/protoautossl.c
@@ -3,7 +3,7 @@
  * https://www.roe.ch/SSLsplit
  *
  * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2025, Soner Tari <sonertari@gmail.com>.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -255,7 +255,7 @@ protoautossl_peek_and_upgrade(pxy_conn_ctx_t *ctx)
 
 	/* peek the buffer */
 	inbuf = bufferevent_get_input(ctx->src.bev);
-	if (evbuffer_peek(inbuf, 1024, 0, vec_out, 1)) {
+	if (evbuffer_peek(inbuf, 2048, 0, vec_out, 1)) {
 		if (ssl_tls_clienthello_parse(vec_out[0].iov_base, vec_out[0].iov_len, 0, &chello, &ctx->sslctx->sni) == 0) {
 			if (OPTS_DEBUG(ctx->global)) {
 				log_dbg_printf("Peek found ClientHello\n");
diff --git a/src/protossl.c b/src/protossl.c
@@ -3,7 +3,7 @@
  * https://www.roe.ch/SSLsplit
  *
  * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
- * Copyright (c) 2017-2024, Soner Tari <sonertari@gmail.com>.
+ * Copyright (c) 2017-2025, Soner Tari <sonertari@gmail.com>.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1353,7 +1353,7 @@ protossl_fd_readcb(evutil_socket_t fd, UNUSED short what, void *arg)
 	// Child connections will use the sni info obtained by the parent conn
 	/* for SSL, peek ClientHello and parse SNI from it */
 
-	unsigned char buf[1024];
+	unsigned char buf[2048];
 	ssize_t n;
 	const unsigned char *chello;
 	int rv;
diff --git a/src/ssl.c b/src/ssl.c
@@ -3,6 +3,7 @@
  * https://www.roe.ch/SSLsplit
  *
  * Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>.
+ * Copyright (c) 2017-2025, Soner Tari <sonertari@gmail.com>.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -2166,7 +2167,7 @@ ssl_tls_clienthello_parse(const unsigned char *buf, ssize_t sz, int search,
 		 * updated for TLS 1.3 once that is standardized and still
 		 * compatible with this parser; remember to also update the
 		 * inner version check below */
-		if (p[0] != 0x03 || p[1] > 0x03)
+		if (p[0] != 0x03 || p[1] > 0x04)
 			continue;
 		p += 2; n -= 2;
 
@@ -2218,7 +2219,7 @@ ssl_tls_clienthello_parse(const unsigned char *buf, ssize_t sz, int search,
 			continue;
 		DBG_printf("clienthello version %02x %02x\n", p[0], p[1]);
 		/* inner version check, see outer one above */
-		if (p[0] != 0x03 || p[1] > 0x03)
+		if (p[0] != 0x03 || p[1] > 0x04)
 			continue;
 		p += 2; n -= 2;
 
