forgot the details. 4 custom build vpn clients, one for each major device (Android, iOS, Mac and Windows), connect to the Softether VPN server over openvpn or l2tp/ipsec. on a side note, softether taps the eth0 card creating a virtual tunnel, but we've noticed suricata doesn't care running NFQ. the tap allows the DHCP server to hand out class B IP addresses to each client. we need it so we can track the user base. we then use suricata to protect the device's vpn connection from the following: compromised IPs, malware, black listed SSLs, and self signed certificates. we have the first three working.
we use eve-json to match cn to issuer name. if a match cert the cert is self signed, so create a live rule swap for subsequent traffic. thx for fixing the memory leak btw. what's happening during our tests is suricata gets a full restart, records the first few TLS transmissions. after that nada. we thought it might be rule based but we set up a rule to look for tls.version:1.2. still no logs.
we can send you our yaml and fw rules, but maybe you can check it out for yourself. fire up a suricata session. browse to any of the really bad sites in the ssllabs.com link. see if you can get suricata to generate logs.
suruicata does it's job. we're just taking it in a different direction. if this is a dead end we'll start looking at luajit running openssl queries against the bad ip address. our users rarely visit self signed sites, so we think it can handle it.