Make ssl_history work for SSLv2 handshakes/connections

It turns out that the ssl_history field never was populated with C/S for SSLv2 connections, or connections using the SSLv2 handshake. In our testcases, the latter is especially common - with connections up to TLS1 using the old SSLv2 client hello for backwards compatibility. This change resolves this issue. As the history is not by default enabled in a lot of locations, baseline impact is minor.
2025-10-02 06:38:20 +00:00 · 2024-08-13 17:58:48 +01:00 · 2024-08-13 17:58:48 +01:00 · 1fe6a02169
commit 1fe6a02169
parent 44a3ed676b
5 changed files with 14 additions and 4 deletions
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@ -282,6 +282,11 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos
 		c$ssl$session_id = bytestring_to_hexstr(session_id);
 		c$ssl$client_ticket_empty_session_seen = F;
 		}
+
+	# add manually for SSLv2, since the handshake_message event is not raised, as there is no handshake protocol.
+	# We don't really have a direction in that case
+	if ( version == 2 )
+		add_to_history(c, T, "c");
 	}

 event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
@ -302,6 +307,11 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos

 	if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) && c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )
 		c$ssl$resumed = T;
+
+	# add manually for SSLv2, since the handshake_message event is not raised, as there is no handshake protocol.
+	# We don't really have a direction in that case
+	if ( version == 2 )
+		add_to_history(c, F, "s");
 	}

 event ssl_extension_supported_versions(c: connection, is_client: bool, versions: index_vec)