Actions
Bug #4917
opentls: leading GAP in toserver direction leads to various issues
Affected Versions:
Effort:
Difficulty:
Label:
Description
Attached is a pcap from https://github.com/OISF/suricata-verify/tree/master/tests/tls-ja3s, but with the first data segment to the server (the client hello) removed.
This leads to various issues:- flow logging
app_proto
as "failed", even ifapp_proto_tc
is "tls". - no TLS logging or inspection
- no GAP detected
- app-layer event
applayer_wrong_direction_first_data
triggering
The parser does not support GAPs or first data into the toclient direction. Since the leading GAP isn't detected (in time), the first data sent to the parser is in the toclient direction. This is then rejected and leads to the event and failure state for the flow.
Files
Updated by Victor Julien about 3 years ago
- Related to Task #3560: ssl/tls: support GAP recovery added
Updated by Victor Julien about 3 years ago
- Related to Task #3553: Tracking: enable GAP recovery for all TCP app-layer protocols added
Updated by Victor Julien 23 days ago
- Related to Bug #7238: applayer: protocol flows are miscounted in case of error added
Actions