suricata
suricata copied to clipboard
OISF
ssl: detect duplicate client handshake
Some invalid implementation of TLS have been seen where the client is sending two handshake messages at start. The result was a problem of JA3 generation.
As it is invalid if we follow the RFC, let's ignore the second message.
Make sure these boxes are signed before submitting your Pull Request -- thank you.
- [x] I have read the contributing guide lines at https://docs.suricata.io/en/latest/devguide/codebase/contributing/contribution-process.html
- [x] I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/ (note: this is only required once)
- [ ] I have updated the user guide (in doc/userguide/) to reflect the changes made (if applicable)
Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/6634
Describe changes:
- handle the case where 2 hello message are sent by client
Codecov Report
Merging #10059 (2edb102) into master (7d95c4c) will decrease coverage by
0.10%. The diff coverage is57.14%.
Additional details and impacted files
@@ Coverage Diff @@
## master #10059 +/- ##
==========================================
- Coverage 82.45% 82.35% -0.10%
==========================================
Files 972 972
Lines 271461 271475 +14
==========================================
- Hits 223822 223565 -257
- Misses 47639 47910 +271
| Flag | Coverage Δ | |
|---|---|---|
| fuzzcorpus | 64.12% <57.14%> (-0.20%) |
:arrow_down: |
| suricata-verify | 61.36% <14.28%> (-0.02%) |
:arrow_down: |
| unittests | 62.82% <14.28%> (-0.01%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Is the PCAP in https://redmine.openinfosecfoundation.org/issues/7016 useful for a test @regit ?
