Project

General

Profile

Actions

Bug #1560

closed

Newline in certificate subject name results in premature line break in TLS log

Added by Ray Ruvinskiy about 7 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

An example is the site https://25livepub.collegenet.com/CollegeNET/, whose certificate has a newline embedded in the address field of the subject name. When I view the certificate in Safari, I see "805 SW Broadway%0D%0ASuite 1600" for the address. In the suricata TLS log, this newline is not escaped and results in the log line being split into two:

10.0.0.1:49396 -> 74.122.104.133:443  TLS: Subject='C=US, unknown=97205, ST=OR, L=Portland, unknown=805 SW Broadway#015
Suite 1600, O=CollegeNET, OU=IT, OU=Gandi Pro SSL, CN=25livepub.collegenet.com' Issuerdn='C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Pro SSL CA 2' SHA1='9f:50:03:e2:f4:62:45:4d:69:88:4d:76:21:5f:6f:bc:bf:58:f9:e0' VERSION='TLS 1.2'

Is there a good/natural place in the code where the newline can be escaped?

Actions #1

Updated by Andreas Herz about 6 years ago

  • Assignee set to Mats Klepsland
  • Target version set to TBD

Mats can you look into that?

Actions #2

Updated by Andreas Herz over 3 years ago

  • Status changed from New to Closed

I tried to reproduce it but eve.json and tls.log fine now

Actions

Also available in: Atom PDF