Project

General

Profile

Actions

Bug #6634

closed

tls: Invalid ja3 due to double client hello

Added by Eric Leblond about 1 year ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
medium
Difficulty:
Label:

Description

Stamus Networks team has discovered some weird TLS connections happening in real networks. These connections are not respecting the TLS RFCs as the client sends 2 hello messages (one in TLS 1.2 and the other one in TLS v1.3) but the server does not care and answer any way.

The result is surprising as the ja_string ends up to compose of 9 commas separated elements and as a result the ja3 hash is not computed on one or the other of the hello message.


Subtasks 1 (0 open1 closed)

Bug #7239: tls: Invalid ja3 due to double client hello (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 2 (1 open1 closed)

Related to Suricata - Bug #7016: tls: hello retry request handling issuesNewOISF DevActions
Related to Suricata - Bug #7256: ja3: Error: ja3: Buffer should not be NULLClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF