Actions
Bug #1560
closedNewline in certificate subject name results in premature line break in TLS log
Affected Versions:
Effort:
Difficulty:
Label:
Description
An example is the site https://25livepub.collegenet.com/CollegeNET/, whose certificate has a newline embedded in the address field of the subject name. When I view the certificate in Safari, I see "805 SW Broadway%0D%0ASuite 1600" for the address. In the suricata TLS log, this newline is not escaped and results in the log line being split into two:
10.0.0.1:49396 -> 74.122.104.133:443 TLS: Subject='C=US, unknown=97205, ST=OR, L=Portland, unknown=805 SW Broadway#015 Suite 1600, O=CollegeNET, OU=IT, OU=Gandi Pro SSL, CN=25livepub.collegenet.com' Issuerdn='C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Pro SSL CA 2' SHA1='9f:50:03:e2:f4:62:45:4d:69:88:4d:76:21:5f:6f:bc:bf:58:f9:e0' VERSION='TLS 1.2'
Is there a good/natural place in the code where the newline can be escaped?
Updated by Andreas Herz about 8 years ago
- Assignee set to Mats Klepsland
- Target version set to TBD
Mats can you look into that?
Updated by Andreas Herz over 5 years ago
- Status changed from New to Closed
I tried to reproduce it but eve.json and tls.log fine now
Actions