diff --git a/CHANGES b/CHANGES index 7b171000fa..a2c32fa559 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,16 @@ +6.0.0-dev.484 | 2023-05-03 14:18:03 +0100 + + * SSL: do not try to disable failed analyzer (Johanna Amann, Corelight) + + Currently, if a TLS/DTLS analyzer fails with a protocol violation, we + will still try to remove the analyzer later, which results in the + following error message: + + error: connection does not have analyzer specified to disable + + Now, instead we don't try removing the analyzer anymore, after a + violation occurred. + 6.0.0-dev.480 | 2023-05-02 20:28:55 +0200 * ip4_hdr: Add DF, MF, offset and sum fields (Arne Welzel, Corelight) diff --git a/NEWS b/NEWS index 806a43eac4..578c280762 100644 --- a/NEWS +++ b/NEWS @@ -306,6 +306,11 @@ Changed Functionality - Libpcap based packet source now avoids the 32bit wraparound of link and dropped packet counters as reported by users. +- The `ssl_history` field in ssl.log indicates that the letter `j` is reserved + for hello retry requests. However, this logging was never fully implemented; + instead, hello retry requests were logged like as a server hello (with the letter + `s`). This oversight was fixed, and hello retry requests are now correctly logged. + Removed Functionality --------------------- diff --git a/VERSION b/VERSION index 817388faca..6d978e0fb6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -6.0.0-dev.480 +6.0.0-dev.484 diff --git a/scripts/base/protocols/ssl/main.zeek b/scripts/base/protocols/ssl/main.zeek index 3e74950951..f61a21deea 100644 --- a/scripts/base/protocols/ssl/main.zeek +++ b/scripts/base/protocols/ssl/main.zeek @@ -514,5 +514,9 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI { if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS ) if ( info$c?$ssl ) - finish(info$c, T); + { + # analyzer errored out; prevent us from trying to remove it later + delete info$c$ssl$analyzer_id; + finish(info$c, F); + } } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-protocol-violation/.stderr b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-protocol-violation/.stderr new file mode 100644 index 0000000000..49d861c74c --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-protocol-violation/.stderr @@ -0,0 +1 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. diff --git a/testing/btest/Traces/tls/tls1.2-protocol-violation.pcap b/testing/btest/Traces/tls/tls1.2-protocol-violation.pcap new file mode 100644 index 0000000000..76a51c00c9 Binary files /dev/null and b/testing/btest/Traces/tls/tls1.2-protocol-violation.pcap differ diff --git a/testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test b/testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test new file mode 100644 index 0000000000..0d68f8495d --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/tls-protocol-violation.test @@ -0,0 +1,5 @@ +# This tests that no error messages are output when a protocol violation occurs + +# @TEST-EXEC: zeek -C -r $TRACES/tls/tls1.2-protocol-violation.pcap %INPUT +# @TEST-EXEC: test -f dpd.log +# @TEST-EXEC: btest-diff .stderr