Bug #6634
closedtls: Invalid ja3 due to double client hello
Description
Stamus Networks team has discovered some weird TLS connections happening in real networks. These connections are not respecting the TLS RFCs as the client sends 2 hello messages (one in TLS 1.2 and the other one in TLS v1.3) but the server does not care and answer any way.
The result is surprising as the ja_string ends up to compose of 9 commas separated elements and as a result the ja3 hash is not computed on one or the other of the hello message.
Updated by Eric Leblond about 1 year ago
- Affected Versions 7.0.1 added
- Affected Versions deleted (
7.0.0)
Updated by Eric Leblond about 1 year ago
Updated by Victor Julien almost 1 year ago
Can you share a pcap / SV test for this?
Updated by Gianni Tedesco 9 months ago
Can confirm we are seeing exactly this problem on approx 0.005% of TLS sessions
Updated by Gianni Tedesco 9 months ago
I am also seeing a case where only two fields are being output, this also seems invalid: "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53"
Updated by Gianni Tedesco 9 months ago
And another discrepancy, which I am not sure about and investigating a bit more is that, sometimes the EVE JSON reports "TLS 1.3", but both ja3-strings are saying 771 (TLS 1.2). Not sure why this is.
Updated by Victor Julien 8 months ago
- Related to Bug #7016: tls: hello retry request handling issues added
Updated by Victor Julien 8 months ago
- Subject changed from Invalid ja3 due to double client hello to tls: Invalid ja3 due to double client hello
Updated by Philippe Antoine 4 months ago
Gianni Tedesco wrote in #note-5:
I am also seeing a case where only two fields are being output, this also seems invalid: "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53"
I can see one path where it happens :
Do you have TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH
in these cases @Giuseppe Longo ?
Updated by Philippe Antoine 4 months ago
- Status changed from In Progress to In Review
- Assignee changed from Eric Leblond to Philippe Antoine
- Target version changed from TBD to 8.0.0-beta1
Updated by Philippe Antoine 4 months ago
- Status changed from In Review to Resolved
Updated by Philippe Antoine 4 months ago
- Status changed from Resolved to Closed
Updated by Philippe Antoine 3 months ago
- Related to Bug #7256: ja3: Error: ja3: Buffer should not be NULL added