Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test
Johanna Amann e14eddeb97 SSL Analyzer: track connection direction by messages 
This PR changes the way in which the SSL analyzer tracks the direction
of connections. So far, the SSL analyzer assumed that the originator of
a connection would send the client hello (and other associated
client-side events), and that the responder would be the SSL servers.

In some circumstances this is not true, and the initiator of a
connection is the server, with the responder being the client. So far
this confused some of the internal statekeeping logic and could lead to
mis-parsing of extensions.

This reversal of roles can happen in DTLS, if a connection uses STUN -
and potentially in some StartTLS protocols.

This PR tracks the direction of a TLS connection using the hello
request, client hello and server hello handshake messages. Furthermore,
it changes the SSL events from providing is_orig to providing is_client,
where is_client is true for the client_side of a connection. Since the
argument positioning in the event has not changed, old scripts will
continue to work seamlessly - the new semantics are what everyone
writing SSL scripts will have expected in any case.

There is a new event that is raised when a connection is flipped. A
weird is raised if a flip happens repeatedly.

Addresses GH-2198.
2022-06-24 18:35:44 +01:00

21 lines
922 B
Text
Raw Blame History

# @TEST-EXEC: zeek -b -C -r $TRACES/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap %INPUT
# @TEST-EXEC: btest-diff ssl.log
# @TEST-EXEC: btest-diff .stdout
# This is a trace that uses a completely non-standard way of establishing TLS 1.3; this seems
# to be an undocumented extension where the TLS version is negotiated via the server sending back
# an supported_versions extension (which, according to the RFC is strictly prohibited).
#
# This only seems to happen with Chrome talking to google servers. We do not recognize this as
# TLS 1.3, but we do not abort when encountering traffic like this.
#
# In the meantime this way of establishing TLS 1.3 was standardized. Still keeping the test even
# though we parse this correctly now.
@load base/protocols/ssl
event ssl_extension(c: connection, is_client: bool, code: count, val: string)
{
if ( ! is_client && code == 43 )
print bytestring_to_hexstr(val);
}
Reference in a new issue View git blame Copy permalink