Project

General

Profile

Actions

Bug #6634

closed

tls: Invalid ja3 due to double client hello

Added by Eric Leblond about 1 year ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
medium
Difficulty:
Label:

Description

Stamus Networks team has discovered some weird TLS connections happening in real networks. These connections are not respecting the TLS RFCs as the client sends 2 hello messages (one in TLS 1.2 and the other one in TLS v1.3) but the server does not care and answer any way.

The result is surprising as the ja_string ends up to compose of 9 commas separated elements and as a result the ja3 hash is not computed on one or the other of the hello message.


Subtasks 1 (0 open1 closed)

Bug #7239: tls: Invalid ja3 due to double client hello (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 2 (1 open1 closed)

Related to Suricata - Bug #7016: tls: hello retry request handling issuesNewOISF DevActions
Related to Suricata - Bug #7256: ja3: Error: ja3: Buffer should not be NULLClosedPhilippe AntoineActions
Actions #1

Updated by Eric Leblond about 1 year ago

  • Affected Versions 7.0.1 added
  • Affected Versions deleted (7.0.0)
Actions #3

Updated by Victor Julien about 1 year ago

Can you share a pcap / SV test for this?

Actions #4

Updated by Gianni Tedesco 10 months ago

Can confirm we are seeing exactly this problem on approx 0.005% of TLS sessions

Actions #5

Updated by Gianni Tedesco 9 months ago

I am also seeing a case where only two fields are being output, this also seems invalid: "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53"

Actions #6

Updated by Gianni Tedesco 9 months ago

And another discrepancy, which I am not sure about and investigating a bit more is that, sometimes the EVE JSON reports "TLS 1.3", but both ja3-strings are saying 771 (TLS 1.2). Not sure why this is.

Actions #7

Updated by Victor Julien 8 months ago

  • Related to Bug #7016: tls: hello retry request handling issues added
Actions #8

Updated by Victor Julien 8 months ago

  • Subject changed from Invalid ja3 due to double client hello to tls: Invalid ja3 due to double client hello
Actions #9

Updated by Philippe Antoine 4 months ago

Gianni Tedesco wrote in #note-5:

I am also seeing a case where only two fields are being output, this also seems invalid: "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53"

I can see one path where it happens :
Do you have TLS_DECODER_EVENT_HANDSHAKE_INVALID_LENGTH in these cases @Giuseppe Longo ?

Actions #10

Updated by Philippe Antoine 4 months ago

  • Status changed from In Progress to In Review
  • Assignee changed from Eric Leblond to Philippe Antoine
  • Target version changed from TBD to 8.0.0-beta1
Actions #11

Updated by Philippe Antoine 4 months ago

  • Label Needs backport to 7.0 added
Actions #12

Updated by OISF Ticketbot 4 months ago

  • Subtask #7239 added
Actions #13

Updated by OISF Ticketbot 4 months ago

  • Label deleted (Needs backport to 7.0)
Actions #14

Updated by Philippe Antoine 4 months ago

  • Status changed from In Review to Resolved
Actions #15

Updated by Philippe Antoine 4 months ago

  • Status changed from Resolved to Closed
Actions #16

Updated by Philippe Antoine 3 months ago

  • Related to Bug #7256: ja3: Error: ja3: Buffer should not be NULL added
Actions

Also available in: Atom PDF