From 401e6c91028add3590b700fd742dee21f626513e Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 22 Oct 2015 13:36:21 -0700
Subject: [PATCH] Extend ssl dpd signature to allow alert before server_hello.

The alert in this case is caused by the server name in the SNI not being
recognized by the server, which triggers an alert. Since the server is
an apache, and this might happen reasonably often, the new signature
allows one TLS alert before the server hello is expected.
---
 scripts/base/protocols/ssl/dpd.sig                            | 2 +-
 testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout | 2 ++
 testing/btest/scripts/base/protocols/ssl/dpd.test             | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig
index e238575568..2ebe1cc634 100644
--- a/scripts/base/protocols/ssl/dpd.sig
+++ b/scripts/base/protocols/ssl/dpd.sig
@@ -1,7 +1,7 @@
 signature dpd_ssl_server {
   ip-proto == tcp
   # Server hello.
-  payload /^(\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/
+  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/
   requires-reverse-signature dpd_ssl_client
   enable "ssl"
   tcp-state responder
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
index b59ed28b18..7b2d255900 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
@@ -6,3 +6,5 @@ Client hello, 192.150.187.164, 194.127.84.106, 769
 Client hello, 192.150.187.164, 194.127.84.106, 769
 Start test run
 Client hello, 10.0.0.80, 68.233.76.12, 771
+Start test run
+Client hello, 192.168.6.217, 67.207.128.99, 771
diff --git a/testing/btest/scripts/base/protocols/ssl/dpd.test b/testing/btest/scripts/base/protocols/ssl/dpd.test
index ff1f6385ec..dc514ff9d4 100644
--- a/testing/btest/scripts/base/protocols/ssl/dpd.test
+++ b/testing/btest/scripts/base/protocols/ssl/dpd.test
@@ -1,6 +1,7 @@
 # @TEST-EXEC: bro -C -b -r $TRACES/tls/ssl-v2.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/ssl.v3.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/tls1.2.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/tls/tls-early-alert.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 @load base/frameworks/dpd