SSL Analyzer: track connection direction by messages

This PR changes the way in which the SSL analyzer tracks the direction
of connections. So far, the SSL analyzer assumed that the originator of
a connection would send the client hello (and other associated
client-side events), and that the responder would be the SSL servers.

In some circumstances this is not true, and the initiator of a
connection is the server, with the responder being the client. So far
this confused some of the internal statekeeping logic and could lead to
mis-parsing of extensions.

This reversal of roles can happen in DTLS, if a connection uses STUN -
and potentially in some StartTLS protocols.

This PR tracks the direction of a TLS connection using the hello
request, client hello and server hello handshake messages. Furthermore,
it changes the SSL events from providing is_orig to providing is_client,
where is_client is true for the client_side of a connection. Since the
argument positioning in the event has not changed, old scripts will
continue to work seamlessly - the new semantics are what everyone
writing SSL scripts will have expected in any case.

There is a new event that is raised when a connection is flipped. A
weird is raised if a flip happens repeatedly.

Addresses GH-2198.

src/analyzer/protocol/ssl/DTLS.cc

@@ -83,4 +83,9 @@ bool DTLS_Analyzer::TryDecryptApplicationData(int len, const u_char* data, bool
 	return false;
 	}
 
+bool DTLS_Analyzer::GetFlipped()
+	{
+	return handshake_interp->flipped();
+	}
+
 	} // namespace zeek::analyzer::dtls

src/analyzer/protocol/ssl/DTLS.h

@@ -39,6 +39,14 @@ public:
 
 	static analyzer::Analyzer* Instantiate(Connection* conn) { return new DTLS_Analyzer(conn); }
 
+	/**
+	 * Check if the connection is flipped--meaning that the TLS client is the responder of the
+	 * connection.
+	 *
+	 * @return True if connection is flipped.
+	 */
+	bool GetFlipped();
+
 	/**
 	 * Try to decrypt TLS application data from a packet.
 	 *

src/analyzer/protocol/ssl/SSL.cc

@@ -413,4 +413,9 @@ void SSL_Analyzer::ForwardDecryptedData(const std::vector<u_char>& data, bool is
 	ForwardStream(data.size(), data.data(), is_orig);
 	}
 
+bool SSL_Analyzer::GetFlipped()
+	{
+	return handshake_interp->flipped();
+	}
+
 	} // namespace zeek::analyzer::ssl

src/analyzer/protocol/ssl/SSL.h

@@ -97,6 +97,14 @@ public:
 	 */
 	void SetKeys(const std::vector<u_char> newkeys);
 
+	/**
+	 * Check if the connection is flipped--meaning that the TLS client is the responder of the
+	 * connection.
+	 *
+	 * @return True if connection is flipped.
+	 */
+	bool GetFlipped();
+
 protected:
 	/**
 	 * Try to decrypt TLS application data from a packet. Requires secret or keys to be set prior.

src/analyzer/protocol/ssl/events.bif

@@ -34,7 +34,7 @@
 ##    ssl_session_ticket_handshake x509_certificate ssl_handshake_message
 ##    ssl_change_cipher_spec
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
-##    ssl_rsa_client_pms
+##    ssl_rsa_client_pms ssl_connection_flipped
 event ssl_client_hello%(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%);
 
 ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
@@ -78,7 +78,7 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po
 ##    ssl_session_ticket_handshake x509_certificate
 ##    ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
-##    ssl_rsa_client_pms
+##    ssl_rsa_client_pms ssl_connection_flipped
 event ssl_server_hello%(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
@@ -90,7 +90,9 @@ event ssl_server_hello%(c: connection, version: count, record_version: count, po
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## code: The numerical code of the extension.  The values are standardized as
 ##       part of the SSL/TLS protocol. The :zeek:id:`SSL::extensions` table maps
@@ -104,7 +106,8 @@ event ssl_server_hello%(c: connection, version: count, record_version: count, po
 ##    ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
-event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
+##    ssl_connection_flipped
+event ssl_extension%(c: connection, is_client: bool, code: count, val: string%);
 
 ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
 ## defined in :rfc:`4492` and sent by the client in the initial handshake. It
@@ -112,7 +115,9 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## curves: List of supported elliptic curves.
 ##
@@ -124,7 +129,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
-event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
+event ssl_extension_elliptic_curves%(c: connection, is_client: bool, curves: index_vec%);
 
 ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
 ## is defined in :rfc:`4492` and sent by the client and/or server in the initial
@@ -133,7 +138,9 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## point_formats: List of supported point formats.
 ##
@@ -146,7 +153,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
-event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
+event ssl_extension_ec_point_formats%(c: connection, is_client: bool, point_formats: index_vec%);
 
 ## Generated for an Signature Algorithms extension. This TLS extension
 ## is defined in :rfc:`5246` and sent by the client in the initial
@@ -155,7 +162,9 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## signature_algorithms: List of supported signature and hash algorithm pairs.
 ##
@@ -167,7 +176,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
-event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
+event ssl_extension_signature_algorithm%(c: connection, is_client: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
 
 ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
 ## and sent by the client and the server in the initial handshake. It gives the list of
@@ -175,7 +184,9 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for the originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## curves: List of supported/chosen named groups.
 ##
@@ -187,7 +198,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
-event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%);
+event ssl_extension_key_share%(c: connection, is_client: bool, curves: index_vec%);
 
 ## Generated for the pre-shared key extension as it is sent in the TLS 1.3 client hello.
 ##
@@ -196,7 +207,9 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%)
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for the originator side of the connection
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## identities: A list of the identities the client is willing to negotiate with the server.
 ##
@@ -209,13 +222,15 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%)
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_server_hello
-event ssl_extension_pre_shared_key_client_hello%(c: connection, is_orig: bool, identities: psk_identity_vec, binders: string_vec%);
+event ssl_extension_pre_shared_key_client_hello%(c: connection, is_client: bool, identities: psk_identity_vec, binders: string_vec%);
 
 ## Generated for the pre-shared key extension as it is sent in the TLS 1.3 server hello.
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for the originator side of the connection
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## selected_identity: The identity the server chose as a 0-based index into the identities
 ##                    the client sent.
@@ -227,7 +242,7 @@ event ssl_extension_pre_shared_key_client_hello%(c: connection, is_orig: bool, i
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature ssl_extension_pre_shared_key_client_hello
-event ssl_extension_pre_shared_key_server_hello%(c: connection, is_orig: bool, selected_identity: count%);
+event ssl_extension_pre_shared_key_server_hello%(c: connection, is_client: bool, selected_identity: count%);
 
 ## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
 ## This event contains the named curve name and the server ECDH parameters contained
@@ -332,7 +347,9 @@ event ssl_rsa_client_pms%(c: connection, pms: string%);
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## protocols: List of supported application layer protocols.
 ##
@@ -343,7 +360,7 @@ event ssl_rsa_client_pms%(c: connection, pms: string%);
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_extension_signed_certificate_timestamp
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
-event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
+event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_client: bool, protocols: string_vec%);
 
 ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
 ## defined in :rfc:`3546` and sent by the client in the initial handshake. It
@@ -353,7 +370,9 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## names: A list of server names (DNS hostnames).
 ##
@@ -365,7 +384,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_extension_signed_certificate_timestamp
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
-event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
+event ssl_extension_server_name%(c: connection, is_client: bool, names: string_vec%);
 
 ## Generated for the signed_certificate_timestamp TLS extension as defined in
 ## :rfc:`6962`. The extension is used to transmit signed proofs that are
@@ -373,7 +392,9 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## version: the version of the protocol to which the SCT conforms. Always
 ##          should be 0 (representing version 1)
@@ -396,7 +417,7 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec
 ##    ssl_extension_application_layer_protocol_negotiation
 ##    x509_ocsp_ext_signed_certificate_timestamp sct_verify
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
-event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
+event ssl_extension_signed_certificate_timestamp%(c: connection, is_client: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
 
 ## Generated for an TLS Supported Versions extension. This TLS extension
 ## is defined in the TLS 1.3 rfc and sent by the client in the initial handshake.
@@ -405,7 +426,9 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool,
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## versions: List of supported TLS versions.
 ##
@@ -416,14 +439,16 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool,
 ##    ssl_extension_key_share ssl_extension_server_name
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
-event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%);
+event ssl_extension_supported_versions%(c: connection, is_client: bool, versions: index_vec%);
 
 ## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
 ## in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the
 ## list of Pre-Shared Key Exchange Modes that it supports.
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## versions: List of supported Pre-Shared Key Exchange Modes.
 ##
@@ -434,7 +459,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions:
 ##    ssl_extension_key_share ssl_extension_server_name
 ##    ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
 ##    ssl_extension_pre_shared_key_server_hello ssl_extension_pre_shared_key_client_hello
-event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
+event ssl_extension_psk_key_exchange_modes%(c: connection, is_client: bool, modes: index_vec%);
 
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Zeek extracts as much information out of that
@@ -462,7 +487,9 @@ event ssl_established%(c: connection%);
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## level: The severity level, as sent in the *alert*. The values are defined as
 ##        part of the SSL/TLS protocol.
@@ -472,7 +499,7 @@ event ssl_established%(c: connection%);
 ##
 ## .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_session_ticket_handshake
-event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
+event ssl_alert%(c: connection, is_client: bool, level: count, desc: count%);
 
 ## Generated for SSL/TLS handshake messages that are a part of the
 ## stateless-server session resumption mechanism. SSL/TLS sessions start with
@@ -501,7 +528,9 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## length: length of the entire heartbeat message.
 ##
@@ -515,7 +544,7 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##
 ## .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_encrypted_data
-event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
+event ssl_heartbeat%(c: connection, is_client: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
 
 ## Generated for SSL/TLS messages that are sent before full session encryption
 ## starts. Note that "full encryption" is a bit fuzzy, especially for TLSv1.3;
@@ -526,7 +555,9 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## record_version: TLS version given in the record layer of the message.
 ##                 Set to 0 for SSLv2.
@@ -538,7 +569,7 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ##
 ## .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat
-event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%);
+event ssl_plaintext_data%(c: connection, is_client: bool, record_version: count, content_type: count, length: count%);
 
 ## Generated for SSL/TLS messages that are sent after session encryption
 ## started.
@@ -548,7 +579,9 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## record_version: TLS version given in the record layer of the message.
 ##                 Set to 0 for SSLv2.
@@ -560,7 +593,7 @@ event ssl_plaintext_data%(c: connection, is_orig: bool, record_version: count, c
 ##
 ## .. zeek:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat ssl_probable_encrypted_handshake_message
-event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, content_type: count, length: count%);
+event ssl_encrypted_data%(c: connection, is_client: bool, record_version: count, content_type: count, length: count%);
 
 ## This event is generated for application data records of TLS 1.3 connections of which
 ## we suspect that they contain handshake messages.
@@ -587,13 +620,15 @@ event ssl_encrypted_data%(c: connection, is_orig: bool, record_version: count, c
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## length: length of the entire message.
 ##
 ## .. zeek:see::  ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_encrypted_data
-event ssl_probable_encrypted_handshake_message%(c: connection, is_orig: bool, length: count%);
+event ssl_probable_encrypted_handshake_message%(c: connection, is_client: bool, length: count%);
 
 ## This event contains the OCSP response contained in a Certificate Status Request
 ## message, when the client requested OCSP stapling and the server supports it.
@@ -601,16 +636,20 @@ event ssl_probable_encrypted_handshake_message%(c: connection, is_orig: bool, le
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## response: OCSP data.
-event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%);
+event ssl_stapled_ocsp%(c: connection, is_client: bool, response: string%);
 
 ## This event is raised for each unencrypted SSL/TLS handshake message.
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## msg_type: Type of the handshake message that was seen.
 ##
@@ -618,17 +657,33 @@ event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%);
 ##
 ## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
 ##    ssl_session_ticket_handshake x509_certificate ssl_client_hello
-##    ssl_change_cipher_spec
-event ssl_handshake_message%(c: connection, is_orig: bool, msg_type: count, length: count%);
+##    ssl_change_cipher_spec ssl_connection_flipped
+event ssl_handshake_message%(c: connection, is_client: bool, msg_type: count, length: count%);
 
 ## This event is raised when a SSL/TLS ChangeCipherSpec message is encountered
 ## before encryption begins. Traffic will be encrypted following this message.
 ##
 ## c: The connection.
 ##
-## is_orig: True if event is raised for originator side of the connection.
+## is_client: True if event is raised for the client side of the connection
+##            (the side that sends the client hello). This is typically equivalent
+##            with the originator, but does not have to be in all circumstances.
 ##
 ## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
 ##    ssl_session_ticket_handshake x509_certificate ssl_client_hello
 ##    ssl_handshake_message
-event ssl_change_cipher_spec%(c: connection, is_orig: bool%);
+event ssl_change_cipher_spec%(c: connection, is_client: bool%);
+
+## Zeek typically assumes that the originator of a connection is the client of the SSL/TLS
+## session. In some scenarios this does not hold, and the responder of a connection is the
+## client, and the initiator is the server.
+##
+## In these cases, Zeek raises this event. Connection direction is detected by looking at the
+## server hello, client hello, and hello request handshake messages.
+##
+## c: The connection.
+##
+## .. zeek:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
+##    ssl_session_ticket_handshake x509_certificate ssl_client_hello
+##    ssl_handshake_message
+event ssl_connection_flipped%(c: connection%);

src/analyzer/protocol/ssl/proc-certificate.pac

@@ -3,10 +3,18 @@ function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool
 	if ( certificates->size() == 0 )
 		return true;
 
+	// this has to execute in both contexts, ssl and tls-handshake. In one we have flipped_,
+	// in the other we have ssl_analyzer()->GetFlipped(). And in both cases the other case
+	// does not work (and cannot be made to work easily).
+
+#ifndef USE_FLIPPED
+	bool flipped_ = zeek_analyzer()->GetFlipped();
+#endif
+
 	zeek::ODesc common;
 	common.AddRaw("Analyzer::ANALYZER_SSL");
 	common.Add(zeek_analyzer()->Conn()->StartTime());
-	common.AddRaw(is_orig ? "T" : "F", 1);
+	common.AddRaw(is_orig ^ flipped_ ? "T" : "F", 1);
 	zeek_analyzer()->Conn()->IDString(&common);
 
 	static const string user_mime = "application/x-x509-user-cert";
@@ -31,7 +39,7 @@ function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool
 
 		zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
 		                       cert.length(), zeek_analyzer()->GetAnalyzerTag(),
-		                       zeek_analyzer()->Conn(), is_orig,
+		                       zeek_analyzer()->Conn(), is_orig ^ flipped_,
 		                       file_id, i == 0 ? user_mime : ca_mime);
 		zeek::file_mgr->EndOfFile(file_id);
 		}

src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac

@@ -34,7 +34,7 @@ refine connection SSL_Conn += {
 		%{
 		if ( ssl_alert )
 			zeek::BifEvent::enqueue_ssl_alert(zeek_analyzer(), zeek_analyzer()->Conn(),
-							${rec.is_orig}, level, desc);
+							${rec.is_orig} ^ zeek_analyzer()->GetFlipped(), level, desc);
 		return true;
 		%}
 	function proc_unknown_record(rec: SSLRecord) : bool
@@ -66,13 +66,13 @@ refine connection SSL_Conn += {
 		if ( ssl_encrypted_data )
 			{
 			zeek::BifEvent::enqueue_ssl_encrypted_data(zeek_analyzer(),
-				zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length});
+				zeek_analyzer()->Conn(), ${rec.is_orig} ^ zeek_analyzer()->GetFlipped(), ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length});
 			}
 
 		if ( rec->content_type() == APPLICATION_DATA && decryption_failed_ == false )
 			{
 			// If decryption of one packet fails, do not try to decrypt future packets.
-			if ( ! zeek_analyzer()->TryDecryptApplicationData(cont.length(), cont.begin(), rec->is_orig(), rec->content_type(), rec->raw_tls_version()) )
+			if ( ! zeek_analyzer()->TryDecryptApplicationData(cont.length(), cont.begin(), rec->is_orig() ^ zeek_analyzer()->GetFlipped(), rec->content_type(), rec->raw_tls_version()) )
 				decryption_failed_ = true;
 			}
 
@@ -83,7 +83,7 @@ refine connection SSL_Conn += {
 		%{
 		if ( ssl_plaintext_data )
 			zeek::BifEvent::enqueue_ssl_plaintext_data(zeek_analyzer(),
-				zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length});
+				zeek_analyzer()->Conn(), ${rec.is_orig} ^ zeek_analyzer()->GetFlipped(), ${rec.raw_tls_version}, ${rec.content_type}, ${rec.length});
 
 		return true;
 		%}
@@ -92,7 +92,7 @@ refine connection SSL_Conn += {
 		%{
 		if ( ssl_heartbeat )
 			zeek::BifEvent::enqueue_ssl_heartbeat(zeek_analyzer(),
-				zeek_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length,
+				zeek_analyzer()->Conn(), ${rec.is_orig} ^ zeek_analyzer()->GetFlipped(), ${rec.length}, type, payload_length,
 				zeek::make_intrusive<zeek::StringVal>(data.length(), (const char*) data.data()));
 		return true;
 		%}
@@ -114,7 +114,7 @@ refine connection SSL_Conn += {
 		%{
 		if ( ssl_change_cipher_spec )
 			zeek::BifEvent::enqueue_ssl_change_cipher_spec(zeek_analyzer(),
-				zeek_analyzer()->Conn(), ${rec.is_orig});
+				zeek_analyzer()->Conn(), ${rec.is_orig} ^ zeek_analyzer()->GetFlipped());
 
 		return true;
 		%}

src/analyzer/protocol/ssl/tls-handshake-analyzer.pac

@@ -161,7 +161,7 @@ refine connection Handshake_Conn += {
 
 		if ( ssl_extension )
 			zeek::BifEvent::enqueue_ssl_extension(zeek_analyzer(),
-						zeek_analyzer()->Conn(), ${rec.is_orig}, type,
+						zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, type,
 						zeek::make_intrusive<zeek::StringVal>(length, reinterpret_cast<const char*>(data)));
 		return true;
 		%}
@@ -180,7 +180,7 @@ refine connection Handshake_Conn += {
 			}
 
 		zeek::BifEvent::enqueue_ssl_extension_ec_point_formats(zeek_analyzer(), zeek_analyzer()->Conn(),
-		   ${rec.is_orig}, std::move(points));
+		   ${rec.is_orig} ^ flipped_, std::move(points));
 
 		return true;
 		%}
@@ -199,7 +199,7 @@ refine connection Handshake_Conn += {
 			}
 
 		zeek::BifEvent::enqueue_ssl_extension_elliptic_curves(zeek_analyzer(), zeek_analyzer()->Conn(),
-		   ${rec.is_orig}, std::move(curves));
+		   ${rec.is_orig} ^ flipped_, std::move(curves));
 
 		return true;
 		%}
@@ -217,7 +217,7 @@ refine connection Handshake_Conn += {
 				nglist->Assign(i, zeek::val_mgr->Count((*keyshare)[i]->namedgroup()));
 			}
 
-		zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist));
+		zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, std::move(nglist));
 
 		return true;
 		%}
@@ -230,7 +230,7 @@ refine connection Handshake_Conn += {
 		auto nglist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
 
 		nglist->Assign(0u, zeek::val_mgr->Count(keyshare->namedgroup()));
-		zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist));
+		zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, std::move(nglist));
 		return true;
 		%}
 
@@ -242,7 +242,7 @@ refine connection Handshake_Conn += {
 		auto nglist = zeek::make_intrusive<zeek::VectorVal>(zeek::id::index_vec);
 
 		nglist->Assign(0u, zeek::val_mgr->Count(namedgroup));
-		zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(nglist));
+		zeek::BifEvent::enqueue_ssl_extension_key_share(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, std::move(nglist));
 		return true;
 		%}
 
@@ -264,7 +264,7 @@ refine connection Handshake_Conn += {
 				}
 			}
 
-		zeek::BifEvent::enqueue_ssl_extension_signature_algorithm(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig}, std::move(slist));
+		zeek::BifEvent::enqueue_ssl_extension_signature_algorithm(zeek_analyzer(), zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, std::move(slist));
 
 		return true;
 		%}
@@ -283,7 +283,7 @@ refine connection Handshake_Conn += {
 			}
 
 		zeek::BifEvent::enqueue_ssl_extension_application_layer_protocol_negotiation(zeek_analyzer(), zeek_analyzer()->Conn(),
-											${rec.is_orig}, std::move(plist));
+											${rec.is_orig} ^ flipped_, std::move(plist));
 
 		return true;
 		%}
@@ -312,7 +312,7 @@ refine connection Handshake_Conn += {
 
 		if ( ssl_extension_server_name )
 			zeek::BifEvent::enqueue_ssl_extension_server_name(zeek_analyzer(), zeek_analyzer()->Conn(),
-		   	   ${rec.is_orig}, std::move(servers));
+		   	   ${rec.is_orig} ^ flipped_, std::move(servers));
 
 		return true;
 		%}
@@ -331,7 +331,7 @@ refine connection Handshake_Conn += {
 			}
 
 		zeek::BifEvent::enqueue_ssl_extension_supported_versions(zeek_analyzer(), zeek_analyzer()->Conn(),
-			${rec.is_orig}, std::move(versions));
+			${rec.is_orig} ^ flipped_, std::move(versions));
 
 		return true;
 		%}
@@ -345,7 +345,7 @@ refine connection Handshake_Conn += {
 		versions->Assign(0u, zeek::val_mgr->Count(version));
 
 		zeek::BifEvent::enqueue_ssl_extension_supported_versions(zeek_analyzer(), zeek_analyzer()->Conn(),
-			${rec.is_orig}, std::move(versions));
+			${rec.is_orig} ^ flipped_, std::move(versions));
 
 		return true;
 		%}
@@ -364,7 +364,7 @@ refine connection Handshake_Conn += {
 			}
 
 		zeek::BifEvent::enqueue_ssl_extension_psk_key_exchange_modes(zeek_analyzer(), zeek_analyzer()->Conn(),
-			${rec.is_orig}, std::move(modes));
+			${rec.is_orig} ^ flipped_, std::move(modes));
 
 		return true;
 		%}
@@ -412,7 +412,7 @@ refine connection Handshake_Conn += {
 			if ( ssl_stapled_ocsp )
 				zeek::BifEvent::enqueue_ssl_stapled_ocsp(zeek_analyzer(),
 				        zeek_analyzer()->Conn(),
-				        ${rec.is_orig},
+				        ${rec.is_orig} ^ flipped_,
 				        zeek::make_intrusive<zeek::StringVal>(response.length(), (const char*) response.data()));
 
 			zeek::file_mgr->EndOfFile(file_id);
@@ -515,7 +515,7 @@ refine connection Handshake_Conn += {
 		ha->Assign(1, digitally_signed_algorithms->SignatureAlgorithm());
 
 		zeek::BifEvent::enqueue_ssl_extension_signed_certificate_timestamp(zeek_analyzer(),
-			zeek_analyzer()->Conn(), ${rec.is_orig},
+			zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_,
 			version,
 			zeek::make_intrusive<zeek::StringVal>(logid.length(), reinterpret_cast<const char*>(logid.begin())),
 			timestamp,
@@ -578,7 +578,7 @@ refine connection Handshake_Conn += {
 		%{
 		if ( ssl_handshake_message )
 			zeek::BifEvent::enqueue_ssl_handshake_message(zeek_analyzer(),
-				zeek_analyzer()->Conn(), is_orig, msg_type, to_int()(length));
+				zeek_analyzer()->Conn(), is_orig ^ flipped_, msg_type, to_int()(length));
 
 		return true;
 		%}
@@ -610,7 +610,7 @@ refine connection Handshake_Conn += {
 			}
 
 		zeek::BifEvent::enqueue_ssl_extension_pre_shared_key_client_hello(zeek_analyzer(), zeek_analyzer()->Conn(),
-			${rec.is_orig}, std::move(slist), std::move(blist));
+			${rec.is_orig} ^ flipped_, std::move(slist), std::move(blist));
 
 		return true;
 		%}
@@ -621,7 +621,7 @@ refine connection Handshake_Conn += {
 			return true;
 
 		zeek::BifEvent::enqueue_ssl_extension_pre_shared_key_server_hello(zeek_analyzer(),
-			zeek_analyzer()->Conn(), ${rec.is_orig}, selected_identity);
+			zeek_analyzer()->Conn(), ${rec.is_orig} ^ flipped_, selected_identity);
 
 		return true;
 		%}

src/analyzer/protocol/ssl/tls-handshake-protocol.pac

@@ -61,7 +61,9 @@ type UnknownHandshake(hs: HandshakeRecord, is_orig: bool) = record {
 ######################################################################
 
 # Hello Request is empty
-type HelloRequest(rec: HandshakeRecord) = empty;
+type HelloRequest(rec: HandshakeRecord) = record {
+	direction_check : DirectionCheck(false, rec); # should be sent by responder
+};
 
 
 ######################################################################
@@ -69,6 +71,7 @@ type HelloRequest(rec: HandshakeRecord) = empty;
 ######################################################################
 
 type ClientHello(rec: HandshakeRecord) = record {
+	direction_check : DirectionCheck(true, rec); # should be sent by originator
 	client_version : uint16;
 	gmt_unix_time : uint32;
 	random_bytes : bytestring &length = 28;
@@ -100,6 +103,7 @@ type ClientHelloCookie(rec: HandshakeRecord) = record {
 # TLS 1.3 server hello is different from earlier versions. Trick around a
 # bit, route 1.3 requests to a different record than earlier.
 type ServerHelloChoice(rec: HandshakeRecord) = record {
+	direction_check : DirectionCheck(false, rec); # should be sent by responder
 	server_version0 : uint8;
 	server_version1 : uint8;
 	hello: case parsed_version of {
@@ -140,6 +144,13 @@ type ServerHello13(rec: HandshakeRecord, server_version: uint16) = record {
 		$context.connection.set_cipher(cipher_suite[0]);
 };
 
+# Used to check if originator/responder are reversed for this connection
+
+type DirectionCheck(desired: bool, rec: HandshakeRecord) = record {
+} &let {
+	proc : bool = $context.connection.check_flipped(desired, rec.is_orig);
+};
+
 ######################################################################
 # DTLS Hello Verify Request
 ######################################################################
@@ -785,7 +796,7 @@ type SSLExtension(rec: HandshakeRecord) = record {
 
 %include tls-handshake-signed_certificate_timestamp.pac
 
-type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case rec.is_orig of {
+type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case ( rec.is_orig ^ $context.connection.flipped() ) of {
 	true -> a: SupportedVersions(rec);
 	false -> b: OneSupportedVersion(rec);
 }
@@ -946,9 +957,13 @@ refine connection Handshake_Conn += {
 		bytestring client_random_;
 		bytestring server_random_;
 		uint32 gmt_unix_time_;
+		bool flipped_;
+		bool already_alerted_;
 	%}
 
 	%init{
+		flipped_ = false;
+		already_alerted_ = false;
 		chosen_cipher_ = NO_CHOSEN_CIPHER;
 		chosen_version_ = UNKNOWN_VERSION;
 
@@ -985,6 +1000,39 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
+	function check_flipped(desired: bool, is_orig: bool) : bool
+		%{
+		if ( flipped_ )
+			{
+			if ( desired == is_orig )
+				{
+				// well, I guess we get to flip it back - and alert on this
+				flipped_ = false;
+				zeek::BifEvent::enqueue_ssl_connection_flipped(zeek_analyzer(), zeek_analyzer()->Conn());
+				if ( ! already_alerted_ )
+					{
+					already_alerted_ = true;
+					zeek_analyzer()->Weird("SSL_unclear_connection_direction");
+					}
+				}
+			}
+			else
+			{
+			if ( desired != is_orig )
+				{
+				flipped_ = true;
+				zeek::BifEvent::enqueue_ssl_connection_flipped(zeek_analyzer(), zeek_analyzer()->Conn());
+				}
+			}
+
+		return true;
+		%}
+
+	function flipped() : bool
+		%{
+		return flipped_;
+		%}
+
 	function record_version() : uint16 %{ return record_version_; %}
 
 	function set_record_version(version: uint16) : bool

src/analyzer/protocol/ssl/tls-handshake.pac

@@ -8,6 +8,7 @@
 
 #include "zeek/analyzer/protocol/ssl/types.bif.h"
 #include "zeek/analyzer/protocol/ssl/events.bif.h"
+#define USE_FLIPPED
 %}
 
 analyzer TLSHandshake withcontext {