From 030564a71058908276d9a07ba5e054822e977a07 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Tue, 2 Jul 2013 14:49:36 -0400 Subject: [PATCH] Single character fix to correct support for TLS 1.2 (my bad). - Thanks for help from Rafal Lesniak in nailing down the location of the bug and supplying test traffic. - Test traffic with a TLS 1.2 connection. - Addresses ticket #1020 --- src/analyzer/protocol/ssl/ssl-protocol.pac | 2 +- .../scripts.base.protocols.ssl.tls-1.2/ssl.log | 10 ++++++++++ testing/btest/Traces/tls1.2.trace | Bin 0 -> 8601 bytes .../scripts/base/protocols/ssl/tls-1.2.test | 2 ++ 4 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log create mode 100644 testing/btest/Traces/tls1.2.trace create mode 100644 testing/btest/scripts/base/protocols/ssl/tls-1.2.test diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac index 0019478518..b35d07f18b 100644 --- a/src/analyzer/protocol/ssl/ssl-protocol.pac +++ b/src/analyzer/protocol/ssl/ssl-protocol.pac @@ -693,7 +693,7 @@ refine connection SSL_Conn += { head2 : uint8) : int %{ if ( head0 >= 20 && head0 <= 23 && - head1 == 0x03 && head2 < 0x03 ) + head1 == 0x03 && head2 <= 0x03 ) // This is most probably SSL version 3. return (head1 << 8) | head2; diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log new file mode 100644 index 0000000000..375c033c38 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-1.2/ssl.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ssl +#open 2013-07-02-18-46-17 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id subject issuer_subject not_valid_before not_valid_after last_alert client_subject client_issuer_subject +#types time string addr port addr port string string string string string string time time string string string +1357328848.549370 UWkUyAuUGXf 10.0.0.80 56637 68.233.76.12 443 TLSv12 TLS_RSA_WITH_RC4_128_MD5 - - CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 1304467200.000000 1467676799.000000 - - - +#close 2013-07-02-18-46-17 diff --git a/testing/btest/Traces/tls1.2.trace b/testing/btest/Traces/tls1.2.trace new file mode 100644 index 0000000000000000000000000000000000000000..87d50c277c6b8e25a40ccee85b12e7bddcd41e5f GIT binary patch literal 8601 zcmd6sc|26@-^b6a82i3tnXDlkOQI5E$&&0Ma@$4rG1f{(5m6{4TgjRz71=YXP_{uN zB`UWyOGTo^a}KwD(fzxB&+GZ)d7gQ_uGh@D&UHTDYx#cP-|JlS?BSgpB!C9iKPxK$ zfPgNj@?$2ux@Z6+=r>&YK_|V(6;+>abFq5U0y+Sou@s^KXkhb~aR6YVJz>Z&sD`LL zI9+23E0rNvR=BJI0ExzwBTy(b0zr!dRa`#6_t3~Sb$DuH77UnsT z*tIo*RyYS#apmNKe908@s{<&M*@OAnLgc)JIL7X{^QrwtWlYNZ?uXSfg*Grp`JFmv zjbGlTc2Ci0>C)~m>BUKVLJZZ6d&5%nT=H*zkwO%Y({#cig;{|X7=TonKG6eAvjEe3 z0COFT#N>mK=yO+BN5cwSUM@m~8Qoc)Jw5e@Wp7mr$cUwriq?x>WJDk^7yu;4%F}~% zSd=9i%Z}95l-~mK!WXpcY`R2ON0KWMf56el+1)h&`YF!>GQl@#*lEliz1)0>F7kXJ z4_t#|XVo%3V61J7*COBzJ-j_gt}gO&pbUHu#V-EWJw1;j?lOdcfIuQ7>54aZbq*xL zU&J8Dj1~bDN>tf=UXCJ5+b5+JNNtU;1ikF3$uqzy?^^F{(;C zlvUPm(y}A92=dI(NLTxc)edy>^6-&o16kk-I(9nqK&XFs$cnrm$iG&{sU)ui;@4W@ zHGKoUT!S2;;jx3P@O>OR&ce~l)fcbt<18!B0OH_EdUlkRtCPG4xOMG{Ps`Wa*Tola zLUi@^2=q2LH^f_cc)2*kIvgMy+z7=%FC|NYm1KQfNnj*G_}Aq?U;tDkf*FA7amYx> z4JS_^XHvh_pP$}u;VaI{ni^Huj|;E%5pFmt(lJ)!`QQk$hVU${|MScjlC-3*nE+!( z>X2@uwgELg$j_O}uXeZT`BpbvMW%AxmC}bJ9o@Vy8YGfW_GLfw=bh0~9ZAzNmgUKN z9&YWF`*b(UAAw5}D}8yr{W=Ezj9$m;+J`Hu$i9y*qk|8rF@lnBMTP!c45HnB;UKQt?0dR?@*aabA80+_(dfzQno5iM zK89iuK;%XuDA0`5fkMy>3W%V2K&}W5_1+3#w%Xj%%$~<7s2atVPUPz-SR< zp=UsH#JX_=0!;#mpuzezi2OyI^gj?MfucXP5Yaq;b=226z;A=ts{aeHq9GJS{_5V5 zbpP`7jnIL-905pQuInk@ea)Tiol&&7RD=Wlo=4=7b9!cro{2N!Z*F%4X~oxCc7DCg zgvcCDO^I~N6CKS`UxcYlMgJ3(sTnYptu|%$h~#xDk7;kD@{jNa5vjtV&nYjK)` z!h~18Q=iQDaX0V^2t0gbSOMO%m8^*muhrsE5}9r~%A}Oz_kFK2WjmKJc#_?z(~}{8vR+g5+6$5 z3&GNu3Sr8W^!By>N*fsdzU#<@*l(`0PAMEaJ;BArf*2S;!V@&*#UVFX#ht*6P?G-3{ZkcYIiLk6>W(ilyq~kbE+*bevt}#RV1TI+o5N0pZUbx>zZ2K z-g=qmTW&Dp$s)AG+Z5Im#?i^^XI7eh1dZJkYRu~}#r)eDW)JMt^<-gq`S@yDxb@4O zeK#kt_0Nl3Kkck;_U;I779W025-LdJs%7wOxgSiOwJwyrT3zLVQEt66V4X`JSgIB$ z9EsoS7k!z(+PE_~kA_dgxl85X>Gur@kB#PeQZx9*FTOu_i!)Pn&Sv*Gb9IpoqUR33 z!;?%i^x%cU9}FdLbq3WvWzP`ySlhQQJP!V7-Ev?XHGTP00G+5isSa=0zrCz@ z{DqPC$9U16i*`xtbPk5-9I%1TrS)lHO6B5<%a6n@W>NLSqOBHuztH(_;SFyre$p9% zUCozkbfyKd5Tv0k;A$?0AdCZ{Dl8h}F#u|>@f4ymsCsqh)g94_zwk6Lz?DdX-FOwK z>t4C;yjldPs|s8$nxE4dqKaau_p?`!?ttP8sXcs z6Z({+afTc+eV4Q@5O{a)PtBgX4u-O&+(jx|O-ok`r19nQ;M6lz!YLoE;QT-7tLO1X}Ki^;W!uw@d@h~kNzzXfY;qu$=8%4hebDqC?GMV6{~I2fq^WL3Fi7W7KQ@iyG86pNAR6vktC94#IOb`C-@OM*IS1 z_B<1pcBgrO4;xRj*?a5?GR}z-MUHUT5uPu=(49Htq{H~~+s>~GV!{A=7ldhL2-AXV zm_{HrE#?0Smmwhk3&h-v8@c?yo+$nkd@C3E6h}V-Xc^UEBim`AIxpt-ie-^|9j`N3 z6))vU8lJd#rQV?K;xvlyT|(!d-X=DEmn4&IBFgl`UdpC?uX@_BQ$C-H`1nX$-?UB;*ThdQpj@$jvEuKC+H&3t^QRzF6J# zVnFCkcLgM0hHFI7kRpf>jHvp9Qm1Xq58&9^h1A)&Eb)887> z;G%cbeSB^Ds5`atRk+cN-*wcjh23Gm z(<2?$W~!MJ=G-+}oAX$@QTaYQ<7mBec<8Z0I!28fM+XzmKK%SSo=+2F`b=lxN}qYyoCvgYFs2|)SufkLA&z#=g!jyepcFUXiv{S7@@*lJfo6rIJK@QB# zU+TFdJY^@^44G`wLz(e7+1_ktaY4%q$^DVsHpi%S%?U=)X!r~P%>*4}z<~S!0TMod zg3IP3BS6W|14gbK*YC(ZTL>Zd?v~V_$W>oQZYKjB5P|?!%VtHy(O^4RQT+YiD)Qig zxayyZ8n7bNSp=2^IYDmLe|S%Im-^` z^y<_kt!U2v;#h%8=au;DSqH= zH{@2|dH*sF8Fqo3;Asz}$l6Z}xIsgK%VxI%tP6r*#V;d&s|dN36}awJelK7}ZfF*T zO8oC$$Pel|kG_**z0Y|o&hL$Y|9RnvbkdWQ)338^VXLDPxS!$i+axLpPQjDNl)PyY zyP-*(iC|%iXZBd1L}DMP;`ahpEStmu(6RGs`E48qE28i?u4-=@$IR-?K;v*8T_1

j8Ql#7=gl$+oGni&oCtx$8K(5I#Gx-02JZ z!f#fnj@y!Kqv&u>=5s8`<(a4*-wF1`dy_9dGe_ml_a`kygb?!|yh&#>?AGs!$Jy8> zaO9*3wBR4{6xhU1Pt*66;r;v(sk5(dmv{}mO?`;5qSAb*IkD$v53*MgJ6he_BMELL+(-v$&=_7>uU&%xAvXH@amIdB)E}5!(VFS?sG=ESi5_A z=@KTLZ4sA#9FAkT5;drUog2V>V*xyiiE)ktp{ZA*3Suuliv=^d)5{43)3$A|TBf%4 zN66aAS_XaYLFt&3vT)XI#Sq-6il?KEwL!qhmXN0w=k~6yT;ROk`P}bbJUU_+iN378h2r}Up#-^7E z^)P~s=U<8s0n|&+hX2%estbG~voI>4Rz1@b7b`0D^wB9WEatV*Z8Zibbg&?ou5w<8|?JZmOXkGh14*QzwO668K)#TA>eQBku2)e3o9iMoXcj@I& z>nDxC}5e%ldk}@t+#kIB_w(k)iFw3x)37tw235h!MZkxqboO%FL_CC** z()W7)F*skJnInO{1xFVTw^`^Z5Vu{|mnsZ%taW7k>b9>Ed)xS{y|`<0>-Ch$h-J0I z=d=}4PG-G06L~6|Tx$F7=7YlvLaH-@d|lPo_}gpj2{y;^5@eA$PHt+Qz4`3u?xf1> zJ$0J-Tyx*Mg4%t?-2MpUtt#lCJg-YX06J8Mk&m6}Yn6T2BF0}K5-qzD;t^Q>x+~+2 zOzd1=R<^hb_2Q+Ylc^P^+1vFSnBF~Y#l1w*C0|apWSzTrfRbqMpNs7wdzL&Y6KtPq zE{n>Fe8+vaB(BWI{d_P$iU8Rzg0}yG?BIM(6+1W7}3em_u)&SVA0aT*W~cF zk0oEfICtR?j2NZbUFkBW0j_j-r$I!&@6vEJp2vv&@lxM>S>o%959=z3gxusnq3?0( z@2}bB018Lpos2-+sF>LnU&pa-Ns%8dKSNhFar%lM-LU z7UgNp{PqNLzs0ddQNFq~nPr88ZC4h$KH?cV6oFd9v3~1RcWEH^=(7rc@+9sPr6u%Bh>gR+~ZRM+hl915OxmcOlC3j zLB6?sM|h862XD{tcLhTU25G{zYy5shV!adN>mi3$;}*9+q)899S2%weI7B5bFX8CE ztMXn?@wJaRtG(x``ALTA3)liJ zr+W-p&Acjydh&)Z3l=p!Lp^U&p0~3RX_40!O_f{BI7~bKUAu4hE_?0^9XCW-x=+g2 z(p60_`~G;gY#j4|@o>4oV_Ot%Znl`jj;KMB1w zm4J&b_S(Yt>hw%_I!>K2MF*ecnfvCVaCVutks(=?_l(UAgHxLBHQs}VntFZwZ|-6t zTfFxqP&C*MU1V0e@lm)j`0H1?J6rRU8s=Xor#pVcxznlzm~&91zD=aN?KWJ=@BQJ0 zv1;TQxf%ux_F!pF5q9mF)nkxGyXZc*ZeARis5jiFa^zdwPG9f+N;nD8hOI%3cWN4C zLBwYLbJC*kLL$*sNl0`YwFVo^GDp^tK?$ z@z|jZ7q&N}PGjS0qMBcMU%PhaOGO>1$~@b-<)OSbQ|5yX%l7mVp|k1yyWi_yl9GK< z+KA(qNcY3`zGgy-N_rYSsTfzHZ8Ee4KLB-|6%TxQw9yc( q$Zg8-Q*kpa0HxRmFf4NGH^Sn=pAangq3vunX5=R<L6b literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ssl/tls-1.2.test b/testing/btest/scripts/base/protocols/ssl/tls-1.2.test new file mode 100644 index 0000000000..25b9083587 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/tls-1.2.test @@ -0,0 +1,2 @@ +# @TEST-EXEC: bro -r $TRACES/tls1.2.trace %INPUT +# @TEST-EXEC: btest-diff ssl.log