Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl: detect duplicate client handshake #10059

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ssl: detect duplicate client handshake #10059

wants to merge 1 commit into from

Conversation

regit
Copy link
Contributor

@regit regit commented Dec 14, 2023

Some invalid implementation of TLS have been seen where the client is sending two handshake messages at start. The result was a problem of JA3 generation.

As it is invalid if we follow the RFC, let's ignore the second message.

Make sure these boxes are signed before submitting your Pull Request -- thank you.

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6634

Describe changes:

  • handle the case where 2 hello message are sent by client

@regit
ssl: detect duplicate client handshake
2edb102 
Some invalid implementation of TLS have been seen where the client
is sending two handshake messages at start. The result was a
problem of JA3 generation.

As it is invalid if we follow the RFC, let's ignore the second
message.
@regit regit requested review from victorjulien and a team as code owners December 14, 2023 21:15
@codecov Codecov
Copy link

codecov bot commented Dec 14, 2023
edited

Codecov Report

Merging #10059 (2edb102) into master (7d95c4c) will decrease coverage by 0.10%.
The diff coverage is 57.14%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #10059      +/-   ##
==========================================
- Coverage   82.45%   82.35%   -0.10%     
==========================================
  Files         972      972              
  Lines      271461   271475      +14     
==========================================
- Hits       223822   223565     -257     
- Misses      47639    47910     +271
Flag Coverage Δ
fuzzcorpus 64.12% <57.14%> (-0.20%) ⬇️
suricata-verify 61.36% <14.28%> (-0.02%) ⬇️
unittests 62.82% <14.28%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@catenacyber
Copy link
Contributor

Is there a SV test ?

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 17098

@victorjulien victorjulien added the needs verify Needs (a) Suricata-verify test(s) label Dec 15, 2023
victorjulien
victorjulien reviewed Dec 15, 2023
View reviewed changes
src/app-layer-ssl.c
@@ -1498,6 +1499,16 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input,

switch (ssl_state->curr_connp->handshake_type) {
case SSLV3_HS_CLIENT_HELLO:
if (ssl_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) {
SSLSetEvent(ssl_state, TLS_DECODER_EVENT_DUPLICATE_HANDSHAKE_MESSAGE);
if (ssl_state->client_connp.ja3_str) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is the ja3 stuff freed here?

victorjulien
victorjulien requested changes Jan 19, 2024
View reviewed changes
Copy link
Member

@victorjulien victorjulien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see inline comments/requests

Please also add the ticket number to the commit.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 17098

@victorjulien
Copy link
Member

Is the PCAP in https://redmine.openinfosecfoundation.org/issues/7016 useful for a test @regit ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
needs verify Needs (a) Suricata-verify test(s)
Milestone
No milestone
4 participants
@regit @catenacyber @suricata-qa @victorjulien