Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 23:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Recognize TLS 1.3 negotiation correctly.

Browse source 
The way in which TLS 1.3 is negotiated was changed slightly in later
revisions of the standard. The final version is only sent in an
extension - while the version field in the server hello still shows TLS
1.2.

This patch makes ssl.log show the correct version again.
This commit is contained in:
Johanna Amann 2018-03-27 14:58:06 -07:00
parent 961f0dfb25
commit f39efd0317
8 changed files with 57 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

19
scripts/base/protocols/ssl/main.bro
View file

@ -216,14 +216,29 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
{
set_session(c);
c$ssl$version_num = version;
c$ssl$version = version_strings[version];
# If it is already filled, we saw a supported_versions extensions which overrides this.
if ( ! c$ssl?$version_num )
{
c$ssl$version_num = version;
c$ssl$version = version_strings[version];
}
c$ssl$cipher = cipher_desc[cipher];
if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) )
c$ssl$resumed = T;
}
event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
{
if ( is_orig || |versions| != 1 )
return;
set_session(c);
c$ssl$version_num = versions[0];
c$ssl$version = version_strings[versions[0]];
}
event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5
{
set_session(c);