Project

General

Profile

Actions
Copy link

Bug #4657

open

SSLv2 app-layer detection patterns incorrectly registered

Added by Gianni Tedesco almost 4 years ago. Updated about 1 month ago.

Status:
In Progress
Priority:
Normal
Assignee:
Gianni Tedesco
Target version:
TBD
Affected Versions:
8.0.0
Effort:
Difficulty:
Label:
C

Description

The SSLv2 record format starts with 2 byte length, then it has a 1 byte
message-type field set to |01| for the client handshake, then a 2 byte
protocol version.

The SSLv3 record format (in use with modern TLS) starts with the
message-type of |16| and then the protocol, followed by the length.

This means that several of the patterns in the SSL app-layer detection
code are incorrect because they're looking in the wrong place in the
packet.

They should be looking at offset 2, depth 5. Not offset 0, depth 3.

Actions
Copy link
 #1

Updated by Philippe Antoine about 1 year ago

  • Target version set to TBD
Actions
Copy link
 #3

Updated by Philippe Antoine about 2 months ago

  • Status changed from New to Rejected
  • Affected Versions 8.0.0 added
  • Affected Versions deleted (6.0.3)

Ok, I see the bug

This is only for SSLv2 client hello requiring a version update to SSLv3 or TLS1.x

SV PR does not trigger it because of probing parser activated on port 443 and because we need to see only the client hello (otherwise we recognize the server hello anyways)

Actions
Copy link
 #4

Updated by Philippe Antoine about 2 months ago

  • Status changed from Rejected to In Progress
Actions
Copy link

Also available in: Atom PDF