From 1e2ba6ebfb22a3abf1d31452794f76b81cb86c19 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 25 Nov 2014 13:11:06 -0800 Subject: [PATCH] make sslv2 protocol tests more strict - in its current state they triggered on http traffic over port 443 sometimes. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sorry, no test because that specific traffic is a tad hard to get. Found by Michał Purzyński. --- src/analyzer/protocol/ssl/ssl-protocol.pac | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index 8e7f7a221d..6011f2b837 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -36,7 +36,7 @@ type SSLRecord(is_orig: bool) = record { } &length = length+5, &byteorder=bigendian, &let { version : int = - $context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4); + $context.connection.determine_ssl_record_layer(head0, head1, head2, head3, head4, is_orig); content_type : int = case version of { SSLv20 -> head2+300; @@ -748,7 +748,7 @@ refine connection SSL_Conn += { %} function determine_ssl_record_layer(head0 : uint8, head1 : uint8, - head2 : uint8, head3: uint8, head4: uint8) : int + head2 : uint8, head3: uint8, head4: uint8, is_orig: bool) : int %{ // re-check record layer version to be sure that we still are synchronized with // the data stream @@ -768,7 +768,7 @@ refine connection SSL_Conn += { if ( head0 & 0x80 ) { - if ( head2 == 0x01 ) // SSLv2 client hello. + if ( head2 == 0x01 && is_orig ) // SSLv2 client hello. { uint16 version = (head3 << 8) | head4; if ( version != SSLv20 && version != SSLv30 && version != TLSv10 && @@ -782,7 +782,7 @@ refine connection SSL_Conn += { return SSLv20; } - else if ( head2 == 0x04 ) // SSLv2 server hello. This connection will continue using SSLv2. + else if ( head2 == 0x04 && head4 < 2 && !is_orig ) // SSLv2 server hello. This connection will continue using SSLv2. { record_layer_version_ = SSLv20; return SSLv20;