From f939bcad7e433fe61c560a05bfc12731b08315d1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 22 Jan 2020 16:49:32 -0800
Subject: [PATCH] Skip file analysis for zero-length SSL/TLS data

---
 src/analyzer/protocol/ssl/proc-certificate.pac       | 3 +++
 src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac
index 7c57f31744..a9514c8c7c 100644
--- a/src/analyzer/protocol/ssl/proc-certificate.pac
+++ b/src/analyzer/protocol/ssl/proc-certificate.pac
@@ -16,6 +16,9 @@
 			{
 			const bytestring& cert = (*certificates)[i];
 
+			if ( cert.length() <= 0 )
+				continue;
+
 			ODesc file_handle;
 			file_handle.Add(common.Description());
 			file_handle.Add(i);
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 5e8e31e0b2..9d5f3d8ea7 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -303,7 +303,7 @@ refine connection Handshake_Conn += {
 		common.AddRaw("F");
 		bro_analyzer()->Conn()->IDString(&common);
 
-		if ( status_type == 1 ) // ocsp
+		if ( status_type == 1 && response.length() > 0 ) // ocsp
 			{
 			ODesc file_handle;
 			file_handle.Add(common.Description());