mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
7967a5b0aa
- Use `-b` most everywhere, it will save time. - Start some intel tests upon the input file being fully read instead of at an arbitrary time. - Improve termination condition for some sumstats/cluster tests. - Filter uninteresting output from some supervisor tests. - Test for `notice_policy.log` is no longer needed.
21 lines
918 B
Text
21 lines
918 B
Text
# @TEST-EXEC: zeek -b -C -r $TRACES/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap %INPUT
|
|
# @TEST-EXEC: btest-diff ssl.log
|
|
# @TEST-EXEC: btest-diff .stdout
|
|
|
|
# This is a trace that uses a completely non-standard way of establishing TLS 1.3; this seems
|
|
# to be an undocumented extension where the TLS version is negotiated via the server sending back
|
|
# an supported_versions extension (which, according to the RFC is strictly prohibited).
|
|
#
|
|
# This only seems to happen with Chrome talking to google servers. We do not recognize this as
|
|
# TLS 1.3, but we do not abort when encountering traffic like this.
|
|
#
|
|
# In the meantime this way of establishing TLS 1.3 was standardized. Still keeping the test even
|
|
# though we parse this correctly now.
|
|
|
|
@load base/protocols/ssl
|
|
|
|
event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
|
|
{
|
|
if ( ! is_orig && code == 43 )
|
|
print bytestring_to_hexstr(val);
|
|
}
|