SSL Analyzer: track connection direction by messages

This PR changes the way in which the SSL analyzer tracks the direction of connections. So far, the SSL analyzer assumed that the originator of a connection would send the client hello (and other associated client-side events), and that the responder would be the SSL servers. In some circumstances this is not true, and the initiator of a connection is the server, with the responder being the client. So far this confused some of the internal statekeeping logic and could lead to mis-parsing of extensions. This reversal of roles can happen in DTLS, if a connection uses STUN - and potentially in some StartTLS protocols. This PR tracks the direction of a TLS connection using the hello request, client hello and server hello handshake messages. Furthermore, it changes the SSL events from providing is_orig to providing is_client, where is_client is true for the client_side of a connection. Since the argument positioning in the event has not changed, old scripts will continue to work seamlessly - the new semantics are what everyone writing SSL scripts will have expected in any case. There is a new event that is raised when a connection is flipped. A weird is raised if a flip happens repeatedly. Addresses GH-2198.
2025-10-02 22:58:20 +00:00 · 2022-06-24 19:27:13 +02:00 · 2022-06-24 19:27:13 +02:00 · e14eddeb97
commit e14eddeb97
parent a7aa345c76
30 changed files with 344 additions and 179 deletions
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/.stdout
@ -0,0 +1,9 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+T, 11
+T, 10
+T, 15
+T, 14
+65279, \x8ev\xfa \xbf\x84\xd0[\xddQ\xe8\xce\xdb!\xdf\x8f\xa6kW\xc3zC\xb4\xa0z\x09o~, \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00, [49172, 49162, 57, 56, 55, 54, 136, 135, 134, 133, 49177, 58, 137, 49167, 49157, 53, 132, 49171, 49161, 51, 50, 49, 48, 154, 153, 152, 151, 69, 68, 67, 66, 49176, 52, 155, 70, 49166, 49156, 47, 150, 65, 7, 49170, 49160, 22, 19, 16, 13, 49175, 27, 49165, 49155, 10, 21, 18, 15, 12, 26, 9, 20, 17, 14, 11, 25, 8, 6, 49168, 49158, 49173, 49163, 49153, 2, 1, 255]
+F, 11
+F, 14
+F, 65281
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls-stun-dpd/ssl.log
@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	subject	issuer	client_subject	client_issuer	sni_matches_cert
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	string	string	string	string	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.6.82	51462	74.201.205.9	43044	DTLSv10	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	cSXKRNxgyiI	d0f7ee6396c98da4e74888006af667bfeaecc8cd1babb67e900558a9bd649b9f	968126882d68eb80b03392edb9cce7260eec15a04b206ddfb5231449b5aaaa2f	CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US	CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US	CN=a	CN=a	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.6.82	51462	74.201.205.9	43044	DTLSv10	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	^CsxkrnXGYIi	968126882d68eb80b03392edb9cce7260eec15a04b206ddfb5231449b5aaaa2f	d0f7ee6396c98da4e74888006af667bfeaecc8cd1babb67e900558a9bd649b9f	CN=a	CN=a	CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US	CN=mantis.tokbox.com,O=Tokbox,L=San Francisco,ST=California,C=US	-
 #close XXXX-XX-XX-XX-XX-XX