Project

General

Profile

Actions
Copy link

Bug #6634

closed
EL PA

tls: Invalid ja3 due to double client hello

Bug #6634: tls: Invalid ja3 due to double client hello

Added by Eric Leblond over 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
6.0.14, 7.0.1
Effort:
medium
Difficulty:
Label:

Description

Stamus Networks team has discovered some weird TLS connections happening in real networks. These connections are not respecting the TLS RFCs as the client sends 2 hello messages (one in TLS 1.2 and the other one in TLS v1.3) but the server does not care and answer any way.

The result is surprising as the ja_string ends up to compose of 9 commas separated elements and as a result the ja3 hash is not computed on one or the other of the hello message.

Subtasks 1 (0 open1 closed)

Bug #7239: tls: Invalid ja3 due to double client hello (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 3 (1 open2 closed)

Related to Suricata - Bug #7016: tls: hello retry request handling issuesNewOISF DevActions
Related to Suricata - Bug #7256: ja3: Error: ja3: Buffer should not be NULLClosedPhilippe AntoineActions
Copied to Suricata - Bug #7685: tls: Invalid ja4 due to double client helloRejectedOISF DevActions
Actions
Copy link

Also available in: PDF Atom