DTLS 1.3: finish implementation, add connection_id extension

This commit adds support for the connection_id extension, adds a trace that uses DTLS 1.3 connection IDs, and adds parsing for the DTLS 1.3 unified header, in case connection IDs are not used. In case connection IDs are used, parsing of the DTLS 1.3 unified header is skipped. This is due to the fact, that the header then contains a variable length element, with the length of the element not given in the header. Instead, the length is given in the client/server hello message of the opposite side of the connection (which we might have missed). Furthermore, parsing is not of a high importance, since we are not passing the connection ID, or any of the other parsed values of the unified header into scriptland.
2025-10-02 14:48:21 +00:00 · 2023-05-10 11:08:26 +01:00 · 2023-05-10 11:08:26 +01:00 · a8e84c6192
commit a8e84c6192
parent d6c4c510ea
12 changed files with 188 additions and 19 deletions
--- a/7
+++ b/7
@ -207,6 +207,10 @@ New Functionality
 - The ``ip4_hdr`` record was extended by ``DF``, ``MF``, ``offset`` and ``sum``
  to aid packet-level analysis use-cases.

+- Zeek now supports parsing the recently standardized DTLS 1.3. Besides the protocol
+  messages being correctly parsed and raising the typical SSL/TLS events, the biggest
+  visible change is the newly added ``ssl_extension_connection_id`` event.
+
 Changed Functionality
 ---------------------

@ -306,6 +310,9 @@ Changed Functionality
 - Libpcap based packet source now avoids the 32bit wraparound of link and
  dropped packet counters as reported by users.

+- The ``ssl_history`` field of ``ssl.log`` now correctly logs Hello Retry Request
+  messages. Before, they were incorrectly logged as Server Hellos.
+
 Removed Functionality
 ---------------------

--- a/src/analyzer/protocol/ssl/dtls-analyzer.pac
+++ b/src/analyzer/protocol/ssl/dtls-analyzer.pac
@ -156,7 +156,9 @@ refine connection SSL_Conn += {

 			if ( ssl_encrypted_data )
 				{
-				// FIXME: swallow is not quite the correct length, because we are not parsing the entire header
+				// In case a CID is given, swallow is not quite the correct length, because we are not parsing the entire header. This is not entirely
+				// trivial to work around, and the workaround won't work in all cases - and it might also not matter.
+				// We also have more potentially interesting information (the sequence number) - which we don't currently give to scriptland.
 				zeek::BifEvent::enqueue_ssl_encrypted_data(zeek_analyzer(),
 					zeek_analyzer()->Conn(), is_orig ^ zeek_analyzer()->GetFlipped(), DTLSv13, APPLICATION_DATA, ur->swallow().length());
 				}
--- a/src/analyzer/protocol/ssl/dtls-protocol.pac
+++ b/src/analyzer/protocol/ssl/dtls-protocol.pac
@ -24,15 +24,24 @@ type SSLRecordSwitch(is_orig: bool) = record {

 type UnifiedRecord(firstbyte: uint8, is_orig: bool) = record {
 	# sequence_number: bytestring &length=(sequence_number_length?2:1);
-	# lets just ignore eveything for now. We have very limited example
-	# data, and it is hard to parse the CID due to variable length.
+	# If we have a CID, we do currently not try to parse anything, as the connection
+	# ID is variable length, with the length not given in this packet (but only in the hello message
+	# of the opposite side of the direction).
+	seqnum: case with_cid of {
+		false -> sequence_number: bytestring &length=(sequence_number_length?2:1);
+		true -> nothing1: bytestring &length=0;
+	} &requires(sequence_number_length) &requires(with_cid);
+	lenthfield: case (with_cid == false && length_present == true) of {
+		true -> length: uint16;
+		false -> nothing2: bytestring &length=0;
+	} &requires(length_present) &requires(with_cid);
 	swallow: bytestring &restofdata;
 } &let {
 	with_cid: bool = ((firstbyte&0x10)==0x10);
 	sequence_number_length: bool = ((firstbyte&0x08)==0x08);
-	lengh_present: bool = ((firstbyte&0x04)==0x04);
+	length_present: bool = ((firstbyte&0x04)==0x04);
 	epoch_low_bits: uint8 = (firstbyte&0x03);
-};
+} &byteorder = bigendian;

 type SSLRecord(content_type: uint8, is_orig: bool) = record {
 	version: uint16;
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@ -106,7 +106,7 @@ event ssl_server_hello%(c: connection, version: count, record_version: count, po
 ##    ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
-##    ssl_connection_flipped
+##    ssl_connection_flipped ssl_extension_connection_id
 event ssl_extension%(c: connection, is_client: bool, code: count, val: string%);

 ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
@ -129,6 +129,7 @@ event ssl_extension%(c: connection, is_client: bool, code: count, val: string%);
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_elliptic_curves%(c: connection, is_client: bool, curves: index_vec%);

 ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@ -153,6 +154,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_client: bool, curves: ind
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_ec_point_formats%(c: connection, is_client: bool, point_formats: index_vec%);

 ## Generated for an Signature Algorithms extension. This TLS extension
@ -176,6 +178,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_client: bool, point_form
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_signature_algorithm%(c: connection, is_client: bool, signature_algorithms: signature_and_hashalgorithm_vec%);

 ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
@ -198,6 +201,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_client: bool, signatu
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_key_share%(c: connection, is_client: bool, curves: index_vec%);

 ## Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello.
@ -222,6 +226,7 @@ event ssl_extension_key_share%(c: connection, is_client: bool, curves: index_vec
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_server_hello
+##    ssl_extension_connection_id
 event ssl_extension_pre_shared_key_client_hello%(c: connection, is_client: bool, identities: psk_identity_vec, binders: string_vec%);

 ## Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello.
@ -242,6 +247,7 @@ event ssl_extension_pre_shared_key_client_hello%(c: connection, is_client: bool,
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_pre_shared_key_server_hello%(c: connection, is_client: bool, selected_identity: count%);

 ## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
@ -360,6 +366,7 @@ event ssl_rsa_client_pms%(c: connection, pms: string%);
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_extension_signed_certificate_timestamp
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_client: bool, protocols: string_vec%);

 ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
@ -384,6 +391,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_cl
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_extension_signed_certificate_timestamp
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_server_name%(c: connection, is_client: bool, names: string_vec%);

 ## Generated for the signed_certificate_timestamp TLS extension as defined in
@ -417,6 +425,7 @@ event ssl_extension_server_name%(c: connection, is_client: bool, names: string_v
 ##    ssl_extension_application_layer_protocol_negotiation
 ##    x509_ocsp_ext_signed_certificate_timestamp sct_verify
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_signed_certificate_timestamp%(c: connection, is_client: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);

 ## Generated for an TLS Supported Versions extension. This TLS extension
@ -439,6 +448,7 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_client: bool
 ##    ssl_extension_key_share ssl_extension_server_name
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_supported_versions%(c: connection, is_client: bool, versions: index_vec%);

 ## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
@ -459,8 +469,30 @@ event ssl_extension_supported_versions%(c: connection, is_client: bool, versions
 ##    ssl_extension_key_share ssl_extension_server_name
 ##    ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+##    ssl_extension_connection_id
 event ssl_extension_psk_key_exchange_modes%(c: connection, is_client: bool, modes: index_vec%);

+## Generated for an DTLS Connection ID extension. This TLS extension is defined
+## in the RFC 9146 and sent by the client or the server to signify that Connection IDs should
+## be used for the connection.
+##
+## c: The connection.
+##
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
+##
+## cid: The connection ID given by the client or the server.
+##
+## .. zeek:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_key_share ssl_extension_server_name
+##    ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
+##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
+event ssl_extension_connection_id%(c: connection, is_client: bool, cid: string%);
+
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Zeek extracts as much information out of that
 ## as it can. This event signals the time when an SSL/TLS has finished the
@ -577,6 +609,12 @@ event ssl_plaintext_data%(c: connection, is_client: bool, record_version: count,
 ## Note that :zeek:id:`SSL::disable_analyzer_after_detection` has to be changed
 ## from its default to false for this event to be generated.
 ##
+## Also note that, for DTLS 1.3, it is not always possible to give an exact length for
+## the payload that is transported in the packet. If connection IDs are used, the length
+## provided is the length of the entire packet, without the first byte (for the unified header).
+## If no connection IDs are used, the length given is the actual payload length. Connection IDs
+## are used with the connection ID extension in the client or server hello.
+##
 ## c: The connection.
 ##
 ## is_client: True if event is raised for the client side of the connection
@ -589,10 +627,11 @@ event ssl_plaintext_data%(c: connection, is_client: bool, record_version: count,
 ## content_type: message type as reported by TLS session layer. Not populated for
 ##               SSLv2.
 ##
-## length: length of the entire message.
+## length: encrypted payload length of the message.
 ##
 ## .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message
+##    ssl_extension_connection_id
 event ssl_encrypted_data%(c: connection, is_client: bool, record_version: count, content_type: count, length: count%);

 ## This event is generated for application data records of TLS 1.3 connections of which
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@ -157,6 +157,7 @@ enum SSLExtensions {
 	EXT_CERTIFICATE_AUTHORITIES = 47,
 	EXT_OID_FILTERS = 48,
 	EXT_KEY_SHARE = 51,
+	EXT_CONNECTION_ID = 54,
 	EXT_NEXT_PROTOCOL_NEGOTIATION = 13172,
 	EXT_ORIGIN_BOUND_CERTIFICATES = 13175,
 	EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180,
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@ -670,6 +670,17 @@ refine connection Handshake_Conn += {
 		return true;
 		%}

+	function proc_connection_id(rec: HandshakeRecord, cid: bytestring) : bool
+		%{
+		if ( ! ssl_extension_connection_id )
+			return true;
+
+		auto cid_string = zeek::make_intrusive<zeek::StringVal>(cid.length(), (const char*) cid.data());
+		zeek::BifEvent::enqueue_ssl_extension_connection_id(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, cid_string);
+
+		return true;
+		%}
+
 };

 refine typeattr ClientHello += &let {
@ -802,3 +813,7 @@ refine typeattr SignedCertificateTimestamp += &let {
 refine typeattr CertificateRequest += &let {
 	proc: bool = $context.connection.proc_certificate_request(rec, this);
 };
+
+refine typeattr ConnectionId += &let {
+	proc: bool = $context.connection.proc_connection_id(rec, cid);
+};
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@ -811,12 +811,18 @@ type SSLExtension(rec: HandshakeRecord) = record {
 		EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0);
 		EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
 		EXT_PRE_SHARED_KEY -> pre_shared_key: PreSharedKey(rec)[] &until($element == 0 || $element != 0);
+		EXT_CONNECTION_ID -> connection_id: ConnectionId(rec)[] &until($element == 0 || $element != 0);
 		default -> data: bytestring &restofdata;
 	};
 } &length=data_len+4 &exportsourcedata;

 %include tls-handshake-signed_certificate_timestamp.pac

+type ConnectionId(rec: HandshakeRecord) = record {
+	length: uint8;
+	cid: bytestring &length=length;
+};
+
 type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case ( rec.is_orig ^ $context.connection.flipped() ) of {
 	true -> a: SupportedVersions(rec);
 	false -> b: OneSupportedVersion(rec);
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/.stdout
@ -0,0 +1,52 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CH, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+SH, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CH, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+SH, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 31
+Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1298
+Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 289
+Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 61
+Encrypted, [orig_h=10.168.36.147, orig_p=33714/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, 65276, 23, 61
+start CID test
+CID, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID
+CH, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID
+CH, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID
+CH, [orig_h=10.168.36.147, orig_p=52232/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID
+CH, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+SH, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, I am a client CID
+CH, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, fancy server CID
+SH, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 52
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 89
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1365
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1292
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 310
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 82
+Encrypted, [orig_h=10.168.36.147, orig_p=57488/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, 65276, 23, 1366
+CH, [orig_h=10.168.36.147, orig_p=58771/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CH, [orig_h=10.168.36.147, orig_p=58771/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CH, [orig_h=10.168.36.147, orig_p=58771/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CH, [orig_h=10.168.36.147, orig_p=58771/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, fancy server CID
+CH, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, fancy server CID
+CH, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CID, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, fancy server CID
+CH, [orig_h=10.168.36.147, orig_p=56544/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CH, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+SH, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+CH, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+SH, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], 65277, 65277
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 31
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 68
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1378
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 1237
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 289
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], F, 65276, 23, 61
+Encrypted, [orig_h=10.168.36.147, orig_p=47904/udp, resp_h=10.168.36.144, resp_p=11111/udp], T, 65276, 23, 1351
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/ssl-all.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/ssl-all.log
@ -0,0 +1,25 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	sni_matches_cert
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.168.36.147	33714	10.168.36.144	11111	DTLSv13	TLS_AES_128_GCM_SHA256	secp256r1	-	F	-	-	T	CjCs	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	sni_matches_cert
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	10.168.36.147	57488	10.168.36.144	11111	DTLSv13	TLS_AES_128_GCM_SHA256	secp256r1	-	F	-	-	T	CjCs	-	-	-
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	10.168.36.147	47904	10.168.36.144	11111	DTLSv13	TLS_AES_128_GCM_SHA256	secp256r1	-	F	-	-	T	CjCs	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.168.36.147	52232	10.168.36.144	11111	-	-	-	-	F	-	-	F	CCC	-	-	-
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	10.168.36.147	56544	10.168.36.144	11111	-	-	-	-	F	-	-	F	CCC	-	-	-
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	10.168.36.147	58771	10.168.36.144	11111	-	-	-	-	F	-	-	F	CCCC	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-13/ssl.log
@ -1,11 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	ssl
-#open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	sni_matches_cert
-#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.168.36.147	33714	10.168.36.144	11111	DTLSv13	TLS_AES_128_GCM_SHA256	secp256r1	-	F	-	-	T	CjCs	-	-	-
-#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Traces/tls/dtls13-cid.pcap
+++ b/testing/btest/Traces/tls/dtls13-cid.pcap
--- a/testing/btest/scripts/base/protocols/ssl/dtls-13.test
+++ b/testing/btest/scripts/base/protocols/ssl/dtls-13.test
@ -1,6 +1,30 @@
 # This tests a normal SSL connection and the log it outputs.

 # @TEST-EXEC: zeek -C -r $TRACES/tls/dtls13-wolfssl.pcap %INPUT
-# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: cp ssl.log ssl-all.log
+# @TEST-EXEC: echo "start CID test"
+# @TEST-EXEC: zeek -C -r $TRACES/tls/dtls13-cid.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: btest-diff ssl-all.log
+# @TEST-EXEC: btest-diff .stdout
 # @TEST-EXEC: test ! -f dpd.log

+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec)
+	{
+	print "CH", c$id, version, record_version;
+	}
+
+event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)
+	{
+	print "SH", c$id, version, record_version;
+	}
+
+event ssl_extension_connection_id(c: connection, is_client: bool, cid: string)
+	{
+	print "CID", c$id, is_client, cid;
+	}
+
+event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)
+	{
+	print "Encrypted", c$id, is_client, record_version, content_type, length;
+	}