Fix parsing of version field in SSLv2 client hello

It turns out that, for probably a long time, we have reported an incorrect version when parsing an SSLv2 client hello. We always reported this as SSLv2, no matter which version the client hello actually contained. This bug probably went unnoticed for a long time, as SSLv2 is essentially unused nowadays, and as this field does not show up in the default logs. This was found due to a baseline difference when writing the Spicy SSL analyzer.
2025-10-02 06:38:20 +00:00 · 2024-08-22 13:14:24 +01:00 · 2024-08-22 13:14:24 +01:00 · a6edbf8bcd
commit a6edbf8bcd
parent 4b369bad2d
6 changed files with 15 additions and 13 deletions
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@ -283,9 +283,11 @@ event ssl_client_hello(c: connection, version: count, record_version: count, pos
 		c$ssl$client_ticket_empty_session_seen = F;
 		}

-	# add manually for SSLv2, since the handshake_message event is not raised, as there is no handshake protocol.
-	# We don't really have a direction in that case
-	if ( version == 2 )
+	# add manually for SSLv2 client hello, since the handshake_message event is not raised, as there is no handshake protocol.
+	# We don't really have a direction in that case.
+	# SSLv2 client hello is signified by a record_layer version of 0, as the client-hello itself can indicate
+	# a higher supported maximum version
+	if ( record_version == 0 )
 		add_to_history(c, T, "c");
 	}