Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 08:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

TLS analyzer: change logic to track TLS 1.3 connection establishment

Browse source 
This commit changes the logic that is used to tracks connection
establishment - and moves it from scriptland into the core.

TLS 1.3 connection establishment is much more finnicky for us than the
establishment of earlier versions - since we cannot rely on the CCS
message anymore (which is meaningless and not sent in a lot of cases).

With this commit, the ssl_encrypted_data message gets raised for
encrypted TLS 1.3 handshake messages - which is much more correct than
the behavior before that just interpreted them as plaintext messages.

I will refine this a bit more - at the moment the connection established
event happens a bit too early - earlier than TLS 1.3 connections
actually can be estasblished.

Part of GH-1323
This commit is contained in:
Johanna Amann 2020-12-14 19:51:05 +00:00 committed by Johanna Amann
parent f5d306a732
commit bea3075c1f
5 changed files with 68 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/analyzer/protocol/ssl/SSL.h
View file

@ -24,6 +24,8 @@ public:
// Tell the analyzer that encryption has started.
void StartEncryption();
// Get the TLS version that the server chose. 0 if not yet known.
uint16_t GetNegotiatedVersion() const;
// Overriden from analyzer::tcp::TCP_ApplicationAnalyzer.
void EndpointEOF(bool is_orig) override;