New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl: detect duplicate client handshake #10059
base: master
Are you sure you want to change the base?
Conversation
Some invalid implementation of TLS have been seen where the client is sending two handshake messages at start. The result was a problem of JA3 generation. As it is invalid if we follow the RFC, let's ignore the second message.
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #10059 +/- ##
==========================================
- Coverage 82.45% 82.35% -0.10%
==========================================
Files 972 972
Lines 271461 271475 +14
==========================================
- Hits 223822 223565 -257
- Misses 47639 47910 +271
Flags with carried forward coverage won't be shown. Click here to find out more. |
Is there a SV test ? |
Information: QA ran without warnings. Pipeline 17098 |
@@ -1498,6 +1499,16 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input, | |||
|
|||
switch (ssl_state->curr_connp->handshake_type) { | |||
case SSLV3_HS_CLIENT_HELLO: | |||
if (ssl_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) { | |||
SSLSetEvent(ssl_state, TLS_DECODER_EVENT_DUPLICATE_HANDSHAKE_MESSAGE); | |||
if (ssl_state->client_connp.ja3_str) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is the ja3 stuff freed here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see inline comments/requests
Please also add the ticket number to the commit.
Information: QA ran without warnings. Pipeline 17098 |
Is the PCAP in https://redmine.openinfosecfoundation.org/issues/7016 useful for a test @regit ? |
Some invalid implementation of TLS have been seen where the client is sending two handshake messages at start. The result was a problem of JA3 generation.
As it is invalid if we follow the RFC, let's ignore the second message.
Make sure these boxes are signed before submitting your Pull Request -- thank you.
https://docs.suricata.io/en/latest/devguide/codebase/contributing/contribution-process.html
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6634
Describe changes: