Project

General

Profile

Actions

Bug #4657

open

SSLv2 app-layer detection patterns incorrectly registered

Added by Gianni Tedesco about 3 years ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
C

Description

The SSLv2 record format starts with 2 byte length, then it has a 1 byte
message-type field set to |01| for the client handshake, then a 2 byte
protocol version.

The SSLv3 record format (in use with modern TLS) starts with the
message-type of |16| and then the protocol, followed by the length.

This means that several of the patterns in the SSL app-layer detection
code are incorrect because they're looking in the wrong place in the
packet.

They should be looking at offset 2, depth 5. Not offset 0, depth 3.

Actions

Also available in: Atom PDF