Merge remote-tracking branch 'origin/topic/johanna/1323'

* origin/topic/johanna/1323: TLS 1.3 changes: Address review feedback Add one more TLS 1.3 testcase and update NEWS Fix TLS 1.3 session resumption detection. Introduce ssl_probable_encrypted_handshake_message event SSL Analyzer: ignore CCS for TLS 1.3 TLS analyzer: change logic to track TLS 1.3 connection establishment
2025-10-02 06:38:20 +00:00 · 2020-12-22 10:58:13 -08:00 · 2020-12-22 10:58:13 -08:00 · 604fbea00d
commit 604fbea00d
parent b4968de3ea 886d7178ef
24 changed files with 558 additions and 249 deletions
--- a/40
+++ b/40
@ -1,4 +1,44 @@
 4.1.0-dev.19 | 2020-12-22 10:58:13 -0800
  * Add new TLS 1.3 constants. (Johanna Amann)
  * Fix TLS 1.3 session resumption detection. (Johanna Amann)
    Now we detect TLS 1.3 session resumption by looking if both sides have
    the PSK extension set, which is much more exact than the previous
    approach.
  * Introduce ssl_probable_encrypted_handshake_message event (Johanna Amann)
    This event is raised for messages that (probably) are TLS 1.3 handshake
    messages, including finished. This allows scripts to examine handshake
    messages without having to handle all encrypted messages.
  * SSL Analyzer: ignore CCS for TLS 1.3 (Johanna Amann)
    In TLS 1.3, the ChangeCipherSpec message is meaningless; it only is
    included to convince middleboxes that the devices actually are speaking
    TLS 1.2. Nowadays some TLS 1.3 implementations also just don't send the
    packet.
    In a push to unify our handling of TLS 1.3 connections - ignore CCS and
    always go with application data packet counting to determine if
    connections are or are not encrypted.
  * GH-1323: TLS analyzer: change logic to track TLS 1.3 connection establishment (Johanna Amann)
    This commit changes the logic that is used to tracks connection
    establishment - and moves it from scriptland into the core.
    TLS 1.3 connection establishment is much more finnicky for us than the
    establishment of earlier versions - since we cannot rely on the CCS
    message anymore (which is meaningless and not sent in a lot of cases).
    With this commit, the ssl_encrypted_data message gets raised for
    encrypted TLS 1.3 handshake messages - which is much more correct than
    the behavior before that just interpreted them as plaintext messages.
 4.1.0-dev.12 | 2020-12-21 10:55:13 -0800
  * Add MacOS Big Sur to CI (Christian Kreibich, Corelight)
--- a/33
+++ b/33
@ -172,11 +172,13 @@ New Functionality
  Configuring with ``--disable-zkg`` disables the zkg inclusion. You
  can continue to install and use zkg independently. You're also free
  to use the config file in ``$prefix/etc/zkg/config`` with other zkg
-  installations. 
+  installations.
  The zkg source tree resides in ``auxil/package-manager`` as an
  additional Git submodule.
 - Added a new ``ssl_probable_encrypted_handshake_message`` event, which
  is raised for encrypted TLS 1.3 handshake messages.
 Changed Functionality
 ---------------------
@ -256,6 +258,31 @@ Changed Functionality
  can be triggered by anybody controlling one of the endpoints (instead
  of both).  For discussion, see https://github.com/zeek/zeek/issues/343.
 - TLS 1.3 support was improved in several ways:
  * In the past, some TLS 1.3 sessions were misidentified as using session
    resumption when, in fact, they were not resumed. This was caused by
    the TLS session ID which no longer has any meaning in TLS 1.3. This was
    fixed.
  * Similarly, in the past, TLS 1.3 sessions that use TLS 1.3 PSKs for
    session resumption were not marked as resumed. This also was fixed.
  * The way in which session establishment for TLS 1.3 is performed was
    rewritten. This causes the ``ssl_encrypted_data`` event to be correctly
    raised; in the past this did not work for some sessions. A new
    ``ssl_probable_encrypted_handshake_message`` event was added that is
    raised for encrypted TLS 1.3 handshake packets.
  * In the same vein, hello retry requests in TLS 1.3 should now always
    be handled correctly; in the past this only happened in some cases.
    Please note: When a connection uses Hello Retry requests you will see
    two client hello and two server hello events in a single connection.
    This happened in the past, but may become more common now; this might
    trigger unexpected behavior in your scripts.
 Removed Functionality
 ---------------------
@ -283,6 +310,10 @@ Removed Functionality
  the Zeek distribution and will get built unless overridden with the
  ``--with-caf=`` configuration option.
 - ``server_appdata`` and ``client_appdata`` were removed from ``SSL::Info``.
  These variables were only used internally, and did not give a correct counts
  in all circumstances.
 Deprecated Functionality
 ------------------------
--- a/2
+++ b/2
@ -1 +1 @@
-4.1.0-dev.12
+4.1.0-dev.19
--- a/scripts/base/protocols/ssl/consts.zeek
+++ b/scripts/base/protocols/ssl/consts.zeek
@ -137,6 +137,53 @@ export {
 		[120] = "no_application_protocol",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 	# Map SSL Extension values to consts for easier readability of code.
 	# More information can be found here:
 	# http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml
 	const SSL_EXTENSION_SERVER_NAME = 0;
 	const SSL_EXTENSION_MAX_FRAGMENT_LENGTH = 1;
 	const SSL_EXTENSION_CLIENT_CERTIFICATE_URL = 2;
 	const SSL_EXTENSION_TRUSTED_CA_KEYS = 3;
 	const SSL_EXTENSION_TRUNCATED_HMAC = 4;
 	const SSL_EXTENSION_STATUS_REQUEST = 5;
 	const SSL_EXTENSION_USER_MAPPING = 6;
 	const SSL_EXTENSION_CLIENT_AUTHZ = 7;
 	const SSL_EXTENSION_SERVER_AUTHZ = 8;
 	const SSL_EXTENSION_CERT_TYPE = 9;
 	const SSL_EXTENSION_SUPPORTED_GROUPS = 10;
 	const SSL_EXTENSION_EC_POINT_FORMATS = 11;
 	const SSL_EXTENSION_SRP = 12;
 	const SSL_EXTENSION_SIGNATURE_ALGORITHMS = 13;
 	const SSL_EXTENSION_USE_SRTP = 14;
 	const SSL_EXTENSION_HEARTBEAT = 15;
 	const SSL_EXTENSION_APPLICATION_LAYER_PROTOCOL_NEGOTIATION = 16;
 	const SSL_EXTENSION_STATUS_REQUEST_V2 = 17;
 	const SSL_EXTENSION_SIGNED_CERTIFICATE_TIMESTAMP = 18;
 	const SSL_EXTENSION_CLIENT_CERTIFICATE_TYPE = 19;
 	const SSL_EXTENSION_SERVER_CERTIFICATE_TYPE = 20;
 	const SSL_EXTENSION_PADDING = 21;
 	const SSL_EXTENSION_ENCRYPT_THEN_MAC = 22;
 	const SSL_EXTENSION_EXTENDED_MASTER_SECRET = 23;
 	const SSL_EXTENSION_TOKEN_BINDING = 24;
 	const SSL_EXTENSION_CACHED_INFO = 25;
 	const SSL_EXTENSION_SESSIONTICKET_TLS = 35;
 	const SSL_EXTENSION_KEY_SHARE = 40;
 	const SSL_EXTENSION_PRE_SHARED_KEY = 41;
 	const SSL_EXTENSION_EARLY_DATA = 42;
 	const SSL_EXTENSION_SUPPORTED_VERSIONS = 43;
 	const SSL_EXTENSION_COOKIE = 44;
 	const SSL_EXTENSION_PSK_KEY_EXCHANGE_MODES = 45;
 	const SSL_EXTENSION_TICKETEARLYDATAINFO = 46;
 	const SSL_EXTENSION_CERTIFICATE_AUTHORITIES = 47;
 	const SSL_EXTENSION_OID_FILTERS = 48;
 	const SSL_EXTENSION_NEXT_PROTOCOL_NEGOTIATION = 13172;
 	const SSL_EXTENSION_ORIGIN_BOUND_CERTIFICATES = 13175;
 	const SSL_EXTENSION_ENCRYPTED_CLIENT_CERTIFICATES = 13180;
 	const SSL_EXTENSION_CHANNEL_ID = 30031;
 	const SSL_EXTENSION_CHANNEL_ID_NEW = 30032;
 	const SSL_EXTENSION_PADDING_TEMP = 35655;
 	const SSL_EXTENSION_RENEGOTIATION_INFO = 65281;
 	## Mapping between numeric codes and human readable strings for SSL/TLS
 	## extensions.
 	# More information can be found here:
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@ -46,12 +46,10 @@ export {
 		## by the client. This value is used to determine if a session
 		## is being resumed. It's not logged.
 		client_key_exchange_seen: bool     &default=F;
-		## Count to track if the server already sent an application data
+		## Track if the client sent a pre-shared-key extension.
-		## packet for TLS 1.3. Used to track when a session was established.
+		## Used to determine if a TLS 1.3 session is being resumed.
-		server_appdata:   count            &default=0;
+		## Not logged.
-		## Flag to track if the client already sent an application data
+		client_psk_seen: bool     &default=F;
 		## packet for TLS 1.3. Used to track when a session was established.
 		client_appdata:   bool             &default=F;
 		## Last alert that was seen during the connection.
 		last_alert:       string           &log &optional;
@ -237,7 +235,7 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos
 		}
 	c$ssl$cipher = cipher_desc[cipher];
-	if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) )
+	if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) && c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )
 		c$ssl$resumed = T;
 	}
@ -305,10 +303,16 @@ event ssl_extension(c: connection, is_orig: bool, code: count, val: string) &pri
 	{
 	set_session(c);
-	if ( is_orig && SSL::extensions[code] == "SessionTicket TLS" && |val| > 0 )
+	if ( is_orig && code == SSL_EXTENSION_SESSIONTICKET_TLS && |val| > 0 )
 		# In this case, we might have an empty ID. Set back to F in client_hello event
 		# if it is not empty after all.
 		c$ssl$client_ticket_empty_session_seen = T;
 	else if ( is_orig && code == SSL_EXTENSION_PRE_SHARED_KEY )
 		# In this case, the client sent a PSK extension which can be used for resumption
 		c$ssl$client_psk_seen = T;
 	else if ( ! is_orig && code == SSL_EXTENSION_PRE_SHARED_KEY && c$ssl$client_psk_seen )
 		# In this case, the server accepted the PSK offered by the client.
 		c$ssl$resumed = T;
 	}
 event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=5
@ -370,41 +374,8 @@ event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, co
 	if ( ! c$ssl?$version || c$ssl$established || content_type != APPLICATION_DATA )
 		return;
-	if ( c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )
+	local wi = Weird::Info($ts=network_time(), $name="ssl_early_application_data", $uid=c$uid, $id=c$id);
-		{
+	Weird::weird(wi);
 		local wi = Weird::Info($ts=network_time(), $name="ssl_early_application_data", $uid=c$uid, $id=c$id);
 		Weird::weird(wi);
 		return;
 		}
 	if ( is_orig )
 		{
 		c$ssl$client_appdata = T;
 		return;
 		}
 	if ( c$ssl$client_appdata && c$ssl$server_appdata == 0 )
 		{
 		# something went wrong in the handshake here - we can't say if it was established. Just abort.
 		return;
 		}
  else if ( ! c$ssl$client_appdata && c$ssl$server_appdata == 0 )
 		{
 		c$ssl$server_appdata = 1;
 		return;
 		}
 	else if ( c$ssl$client_appdata && c$ssl$server_appdata == 1 )
 		{
 		# wait for one more packet before we believe it was established. This one could be an encrypted alert.
 		c$ssl$server_appdata = 2;
 		return;
 		}
 	else if ( c$ssl$client_appdata && c$ssl$server_appdata == 2 )
 		{
 		set_ssl_established(c);
 		event ssl_established(c);
 		return;
 		}
 	}
 event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
--- a/src/analyzer/protocol/ssl/DTLS.cc
+++ b/src/analyzer/protocol/ssl/DTLS.cc
@ -48,6 +48,10 @@ void DTLS_Analyzer::EndOfData(bool is_orig)
 	handshake_interp->FlowEOF(is_orig);
 	}
 uint16_t DTLS_Analyzer::GetNegotiatedVersion() const
  {
  return handshake_interp->chosen_version();
  }
 void DTLS_Analyzer::SendHandshake(uint16_t raw_tls_version, uint8_t msg_type, uint32_t length, const u_char* begin, const u_char* end, bool orig)
 	{
--- a/src/analyzer/protocol/ssl/DTLS.h
+++ b/src/analyzer/protocol/ssl/DTLS.h
@ -21,7 +21,8 @@ public:
 	void EndOfData(bool is_orig) override;
 	void SendHandshake(uint16_t raw_tls_version, uint8_t msg_type, uint32_t length, const u_char* begin, const u_char* end, bool orig);
-
+	// Get the TLS version that the server chose. 0 if not yet known.
 	uint16_t GetNegotiatedVersion() const;
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new DTLS_Analyzer(conn); }
--- a/src/analyzer/protocol/ssl/SSL.cc
+++ b/src/analyzer/protocol/ssl/SSL.cc
@ -48,6 +48,11 @@ void SSL_Analyzer::StartEncryption()
 	interp->setEstablished();
 	}
 uint16_t SSL_Analyzer::GetNegotiatedVersion() const
 	{
 	return handshake_interp->chosen_version();
 	}
 void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
 	analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
--- a/src/analyzer/protocol/ssl/SSL.h
+++ b/src/analyzer/protocol/ssl/SSL.h
@ -24,6 +24,8 @@ public:
 	// Tell the analyzer that encryption has started.
 	void StartEncryption();
 	// Get the TLS version that the server chose. 0 if not yet known.
 	uint16_t GetNegotiatedVersion() const;
 	// Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
 	void EndpointEOF(bool is_orig) override;
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@ -559,9 +559,42 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c
 ## length: length of the entire message.
 ##
 ## .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
-##    ssl_alert ssl_heartbeat
+##    ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message
 event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%);
 ## This event is generated for application data records of TLS 1.3 connections of which
 ## we suspect that they contain handshake messages.
 ##
 ## In TLS 1.3, large parts of the handshake are encrypted; the only cleartext packets
 ## typically exchanged are the client hello and the server hello. The first few packets
 ## after the client and server hello, however, are a continuation of the handshake and
 ## still include handshake data.
 ##
 ## This event is raised for these packets of which we suspect that they are handshake records,
 ## including the finished record.
 ##
 ## The heuristic for this is: all application data record after the server hello are
 ## handshake records until at least one application data record has been received
 ## from both the server and the client. Typically, the server will send more records
 ## before the client sends the first application data record; and the first application
 ## data record of the client will typically include the finished message.
 ##
 ## Given the encrypted nature of the protocol, in some cases this determination is
 ## not correct; the client can send more handshake packets before the finished message, e.g.,
 ## when client certificates are used.
 ##
 ## Note that :zeek:see::ssl_encrypted_data is also raised for these messages.
 ##
 ## c: The connection.
 ##
 ## is_orig: True if event is raised for originator side of the connection.
 ##
 ## length: length of the entire message.
 ##
 ## .. zeek:see::  ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_encrypted_data
 event ssl_probable_encrypted_handshake_message%(c: connection, is_orig: bool, length: count%);
 ## This event contains the OCSP response contained in a Certificate Status Request
 ## message, when the client requested OCSP stapling and the server supports it.
 ## See description in :rfc:`6066`.
--- a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
@ -45,9 +45,16 @@ refine connection SSL_Conn += {
 	function proc_ciphertext_record(rec : SSLRecord) : bool
 		%{
-		 if ( client_state_ == STATE_ENCRYPTED &&
+		if ( established_ == false && determine_tls13() == 1 )
-		      server_state_ == STATE_ENCRYPTED &&
+			{
-		      established_ == false )
+			if ( ssl_probable_encrypted_handshake_message )
 				zeek::BifEvent::enqueue_ssl_probable_encrypted_handshake_message(zeek_analyzer(),
 					zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.length});
 			}
 		if ( client_state_ == STATE_ENCRYPTED &&
 		     server_state_ == STATE_ENCRYPTED &&
 		     established_ == false )
 			{
 			established_ = true;
 			if ( ssl_established )
--- a/src/analyzer/protocol/ssl/ssl-dtls-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-dtls-protocol.pac
@ -44,8 +44,15 @@ enum AnalyzerState {
 type ChangeCipherSpec(rec: SSLRecord) = record {
 	type : uint8;
 } &length = 1, &let {
-	state_changed : bool =
+	# I know this looks a bit weird. Basically - in TLS 1.3, CCS is meaningless
-		$context.connection.startEncryption(rec.is_orig);
+	# fluff that just is used to pretend to TLS 1.2 devices listening in that
 	# yes, this is TLS. Since we want to know which packets come after this,
 	# and since we do have special handling for TLS 1.3 - let's ignore it in
 	# that case.
 	state_changed : bool = case $context.connection.determine_tls13() of {
 		1 -> false;
 		0 -> $context.connection.startEncryption(rec.is_orig);
 	};
 };
@ -130,4 +137,14 @@ refine connection SSL_Conn += {
 			server_state_ = STATE_ENCRYPTED;
 		return true;
 		%}
 	function determine_tls13() : int
 		%{
 		// let's be conservative and only return yes if it has a valid TLS 1.3 version number here.
 		uint16_t negotiated_version = zeek_analyzer()->GetNegotiatedVersion();
 		if ( negotiated_version == TLSv13 || negotiated_version/0xFF == 0x7F )
 			return 1;
 		return 0;
 		%}
 };
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@ -30,10 +30,10 @@ type SSLRecord(is_orig: bool) = record {
 		UNKNOWN_VERSION -> 0;
 		SSLv20 -> (((head0 & 0x7f) << 8) | head1) - 3;
 		default -> (head3 << 8) | head4;
-	};
+	} &requires(version);
 };
-type RecordText(rec: SSLRecord) = case $context.connection.state(rec.is_orig) of {
+type RecordText(rec: SSLRecord) = case $context.connection.determine_state(rec.is_orig, rec.content_type) of {
 	STATE_ENCRYPTED
 		-> ciphertext : CiphertextRecord(rec);
 	default
@ -137,6 +137,49 @@ type SSLPDU(is_orig: bool) = record {
 refine connection SSL_Conn += {
 	## So - this falls a bit under the envelope of dirty hack - but I don't
 	## really have a better idea. This function determines if a packet should
 	## be handled as an encrypted or as a plaintext packet.
 	##
 	## For TLS 1.2 and below - this is relatively straightforward. Everything
 	## that arrives before CCS (Change Cipher Spec) is a plaintext record. And
 	## everything that arrives after CCS will be encrypted.
 	##
 	## TLS 1.3, however, messes this up a bunch. Some clients still choose to
 	## send a CCS message. The message, however, is pretty much meaningless
 	## from a protocol perspective - and just ignored by the other side. Also -
 	## it is not necessary to send it and some implementations just don't.
 	##
 	## So - what we do here is that we enable the encrypted flag when we get
 	## the first application data in a connection that negotiated TLS 1.3.
 	##
 	## This is correct insofar as the packet will be encrypted. We sadly loose
 	## a bit of context here - we can't really say when we get the first packet
 	## that uses the final cryptographic key material - and will contain content
 	## data. We just don't have that information available in TLS 1.3 anymore.
 	function determine_state(is_orig: bool, content_type: int) : int
 		%{
 		int current_state = state(is_orig);
 		if ( current_state == STATE_ENCRYPTED || content_type != APPLICATION_DATA )
 			return current_state;
 		// state = STATE_CLEAR && content_type == APPLICATION_DATA
 		uint16_t negotiated_version = zeek_analyzer()->GetNegotiatedVersion();
 		// in theory, we should check for TLS13 or draft-TLS13 instead of doing the reverse.
 		// But - people use weird version numbers. And all of those weird version numbers are
 		// some sort of TLS1.3. So - let's do it this way round instead.
 		if ( negotiated_version != SSLv20 && negotiated_version != SSLv30 && negotiated_version != TLSv10 && negotiated_version != TLSv11 && negotiated_version != TLSv12 )
 			{
 			// well, it seems like this is a TLS 1.3 (or equivalent) applicatio data packet. Let's enable encryption
 			// and handle it as encrypted.
 			startEncryption(is_orig);
 			return STATE_ENCRYPTED;
 			}
 		return current_state; // has to be STATE_CLEAR
 		%}
 	function determine_ssl_record_layer(head0 : uint8, head1 : uint8,
 					head2 : uint8, head3: uint8, head4: uint8, is_orig: bool) : int
 		%{
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@ -795,10 +795,14 @@ type SupportedVersions(rec: HandshakeRecord) = record {
 	versions: uint16[] &until($input.length() == 0);
 } &length=length+1;
 # If the server sends it, this is the authorative version. Set it.
 type OneSupportedVersion(rec: HandshakeRecord) = record {
 	version: uint16;
 } &let {
 	version_set : bool = $context.connection.set_version(version);
 };
 type PSKKeyExchangeModes(rec: HandshakeRecord) = record {
 	length: uint8;
 	modes: uint8[] &until($input.length() == 0);
@ -944,6 +948,7 @@ refine connection Handshake_Conn += {
 	%init{
 		chosen_cipher_ = NO_CHOSEN_CIPHER;
 		chosen_version_ = UNKNOWN_VERSION;
 		record_version_ = 0;
 	%}
@ -955,10 +960,18 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
-	function chosen_version() : int %{ return chosen_version_; %}
+	function chosen_version() : uint16 %{ return chosen_version_; %}
 	# This function is called several times in certain circumstances.
 	# If it is called twice, it is first called due to the supported_versions
 	# field in the server hello - and then again due to the outer version in
 	# the server hello. So - once we have a version here, let's just stick
 	# with it.
 	function set_version(version: uint16) : bool
 		%{
 		if ( chosen_version_ != UNKNOWN_VERSION )
 			return false;
 		chosen_version_ = version;
 		return true;
 		%}
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log
@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.86.23	63449	52.32.149.186	443	TLSv13-draft23	TLS_AES_128_GCM_SHA256	x25519	tls13.crypto.mozilla.org	T	-	-	T	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.86.23	63449	52.32.149.186	443	TLSv13-draft23	TLS_AES_128_GCM_SHA256	x25519	tls13.crypto.mozilla.org	F	-	-	T	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/.stdout
@ -1,4 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 tls13draft16-chrome55.0.2879.0-canary-aborted.pcap
 key_share, [orig_h=192.168.6.203, orig_p=53226/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
 unknown-27242
 x25519
@ -7,6 +8,7 @@ key_share, [orig_h=192.168.6.203, orig_p=53227/tcp, resp_h=52.32.149.186, resp_p
 unknown-19018
 x25519
 client, TLSv10, TLSv12
 tls13draft16-chrome55.0.2879.0-canary.pcap
 key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 unknown-43690
 x25519
@ -14,6 +16,13 @@ client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 x25519
 server, TLSv10, TLSv13-draft14
 encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 established, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
 encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53994/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 unknown-60138
 x25519
@ -21,17 +30,30 @@ client, TLSv10, TLSv12
 key_share, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 x25519
 server, TLSv10, TLSv13-draft14
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 established, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.168.6.203, orig_p=53996/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 tls13draft16-ff52.a01-aborted.pcap
 key_share, [orig_h=192.150.187.20, orig_p=54980/tcp, resp_h=52.32.149.186, resp_p=443/tcp], T
 x25519
 secp256r1
 secp384r1
 client, TLSv10, TLSv12
 client, TLSv10, TLSv12
 tls13draft16-ff52.a01.pcap
 key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 x25519
 secp256r1
@ -40,6 +62,12 @@ client, TLSv10, TLSv12
 key_share, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 secp384r1
 server, TLSv10, TLSv13-draft16
 encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36778/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T
 x25519
 secp256r1
@ -48,13 +76,23 @@ client, TLSv10, TLSv12
 key_share, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F
 secp384r1
 server, TLSv10, TLSv13-draft16
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 established, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp]
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], T, TLSv10, 23
 encrypted, [orig_h=192.150.187.20, orig_p=36782/tcp, resp_h=138.68.41.77, resp_p=443/tcp], F, TLSv10, 23
 tls13_psk_succesfull.pcap
 key_share, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T
 x25519
 client, TLSv10, TLSv12
@ -69,16 +107,21 @@ encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_
 encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
 encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], F, TLSv12, 23
 encrypted, [orig_h=192.168.178.80, orig_p=54220/tcp, resp_h=174.138.9.219, resp_p=443/tcp], T, TLSv12, 23
 hrr.pcap
 key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T
 secp224r1
 client, TLSv10, TLSv12
 key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F
 secp256r1
 server, TLSv12, TLSv12
 key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T
 secp256r1
 client, TLSv12, TLSv12
 key_share, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F
 secp256r1
 server, TLSv12, TLSv12
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
 established, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp]
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 22
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 22
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], F, TLSv12, 23
 encrypted, [orig_h=10.192.48.168, orig_p=63564/tcp, resp_h=64.233.185.139, resp_p=443/tcp], T, TLSv12, 23
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13/ssl-out.log
@ -18,7 +18,7 @@ XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.6.203	53227	52.32.149.186	443	-	-	-
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.6.203	53994	138.68.41.77	443	TLSv13-draft14	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	x25519	-	F	-	-	F	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.6.203	53994	138.68.41.77	443	TLSv13-draft14	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	x25519	-	F	-	-	T	-	-	-	-	-	-
 XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.6.203	53996	138.68.41.77	443	TLSv13-draft14	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	x25519	-	F	-	-	T	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
 #separator \x09
@ -61,5 +61,5 @@ XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.178.80	54220	174.138.9.219	443	TLSv1
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.192.48.168	63564	64.233.185.139	443	TLSv13	TLS_AES_256_GCM_SHA384	secp256r1	-	T	-	-	T	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.192.48.168	63564	64.233.185.139	443	TLSv13	TLS_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13_encrypted_handshake_events/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13_encrypted_handshake_events/.stdout
@ -0,0 +1,13 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 Probable handshake, F, 23
 encrypted, [orig_h=192.168.186.133, orig_p=43056/tcp, resp_h=192.168.186.134, resp_p=9090/tcp], F, TLSv12, 23
 Probable handshake, F, 716
 encrypted, [orig_h=192.168.186.133, orig_p=43056/tcp, resp_h=192.168.186.134, resp_p=9090/tcp], F, TLSv12, 23
 Probable handshake, F, 281
 encrypted, [orig_h=192.168.186.133, orig_p=43056/tcp, resp_h=192.168.186.134, resp_p=9090/tcp], F, TLSv12, 23
 Probable handshake, F, 69
 encrypted, [orig_h=192.168.186.133, orig_p=43056/tcp, resp_h=192.168.186.134, resp_p=9090/tcp], F, TLSv12, 23
 Probable handshake, T, 69
 Established!
 encrypted, [orig_h=192.168.186.133, orig_p=43056/tcp, resp_h=192.168.186.134, resp_p=9090/tcp], T, TLSv12, 23
 encrypted, [orig_h=192.168.186.133, orig_p=43056/tcp, resp_h=192.168.186.134, resp_p=9090/tcp], T, TLSv12, 23
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13_encrypted_handshake_events/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13_encrypted_handshake_events/ssl.log
@ -0,0 +1,11 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
 XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.186.133	43056	192.168.186.134	9090	TLSv13	TLS_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	-	-	-	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
--- a/testing/btest/Traces/tls/tls13_wolfssl.pcap
+++ b/testing/btest/Traces/tls/tls13_wolfssl.pcap
--- a/testing/btest/scripts/base/protocols/ssl/tls13.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls13.test
@ -1,13 +1,19 @@
 # @TEST-EXEC: echo "tls13draft16-chrome55.0.2879.0-canary-aborted.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary-aborted.pcap %INPUT
 # @TEST-EXEC: cat ssl.log > ssl-out.log
 # @TEST-EXEC: echo "tls13draft16-chrome55.0.2879.0-canary.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-chrome55.0.2879.0-canary.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
 # @TEST-EXEC: echo "tls13draft16-ff52.a01-aborted.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-ff52.a01-aborted.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
 # @TEST-EXEC: echo "tls13draft16-ff52.a01.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13draft16-ff52.a01.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
 # @TEST-EXEC: echo "tls13_psk_succesfull.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13_psk_succesfull.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
 # @TEST-EXEC: echo "hrr.pcap"
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/hrr.pcap %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-out.log
 # @TEST-EXEC: btest-diff ssl-out.log
--- a/testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls13_encrypted_handshake_events.test
@ -0,0 +1,22 @@
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/tls13_wolfssl.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff .stdout
@load base/protocols/ssl
 redef SSL::disable_analyzer_after_detection=F;
 event ssl_encrypted_data(c: connection, is_orig: bool, record_version: count, content_type: count, length: count)
 	{
 	print "encrypted", c$id, is_orig, SSL::version_strings[record_version], content_type;
 	}
 event ssl_established(c: connection)
 	{
 	print "Established!";
 	}
 event ssl_probable_encrypted_handshake_message(c: connection, is_orig: bool, length: count)
 	{
 	print "Probable handshake", is_orig, length;
 	}