tls: leading GAP in toserver direction leads to various issues
Attached is a pcap from https://github.com/OISF/suricata-verify/tree/master/tests/tls-ja3s, but with the first data segment to the server (the client hello) removed.This leads to various issues:
- flow logging
app_protoas "failed", even if
- no TLS logging or inspection
- no GAP detected
- app-layer event
The parser does not support GAPs or first data into the toclient direction. Since the leading GAP isn't detected (in time), the first data sent to the parser is in the toclient direction. This is then rejected and leads to the event and failure state for the flow.