From 14d265482a3793c65f3c9461fdfb7f790ab509b2 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 4 Aug 2014 22:16:09 -0700
Subject: [PATCH] add information about server chosen protocol to ssl.log, if
 provided by alpn.

This is e.g. used to negotiate spdy or http/2
---
 scripts/base/protocols/ssl/main.bro | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index 61e6e438db..e491c915fa 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -41,6 +41,9 @@ export {
 		client_key_exchange_seen: bool     &default=F;
 		## Last alert that was seen during the connection.
 		last_alert:       string           &log &optional;
+		## Next protocol the server chose using the application layer
+		## next protocol extension, if present.
+		next_protocol:    string           &log &optional;
 
 		## The analyzer ID used for the analyzer instance attached
 		## to each connection.  It is not used for logging since it's a
@@ -199,6 +202,17 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
 		}
 	}
 
+event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec)
+	{
+	set_session(c);
+
+	if ( is_orig )
+		return;
+
+	if ( |protocols| > 0 )
+		c$ssl$next_protocol = protocols[0];
+	}
+
 event ssl_handshake_message(c: connection, is_orig: bool, msg_type: count, length: count) &priority=5
 	{
 	set_session(c);