SNI matcher fails on large ClientHello #40
Comments
orozery
added a commit
to orozery/tcpproxy
that referenced
this issue
Mar 1, 2024
Fixes: inetaf#40 Signed-off-by: Or Ozeri <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
func clientHelloServerName(br *bufio.Reader) (sni string)peeks the connection to read the entire client hello packet.If read was successful, the client hello bytes are passed in to Go's
tlsto parse the packet and extract the SNI.The client hello is peeked using a
bufio.Reader, which is initialized by(p *Proxy) serveConn, usingbr := bufio.NewReader(c).The call to
bufio.NewReaderinitializes an internal backing buffer of size 4K.If the client hello is bigger than 4K, the
bufio.Reader.Peekcall fails withbufio.ErrBuffFull, and this directly leads to the failure of the SNI matcher.Specifically, I've been testing with Envoy as a TLS client which I've seen producing a client hello of size 5476 bytes (>4K).
I've attached a sample tcpdump capture.
big_client_hello.zip
For reference, Go's TLS implementation supports client hellos of up-to 64KB:
https://github.com/golang/go/blob/cda1e40b44771f8a01f361672cba721d0f283683/src/crypto/tls/common.go#L65
My personal suggestion is that we increase our
bufio.Readerfrom the default 4K size to 64KB size.The text was updated successfully, but these errors were encountered: