Project

General

Profile

Actions
Copy link

Bug #7016

open

tls: hello retry request handling issues

Added by Victor Julien about 1 year ago. Updated 8 days ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Seeing ALERT: SURICATA TLS multiple SNI extensions after a client hello retry.

Also: version undetermined.

Files

Download all files
2230016-1715022109-192.168.0.34-59785-20.150.125.193-443.pcap (5.19 MB) 2230016-1715022109-192.168.0.34-59785-20.150.125.193-443.pcap Victor Julien, 05/07/2024 06:17 PM
clipboard-202405072022-mdl7k.png (100 KB) clipboard-202405072022-mdl7k.png Victor Julien, 05/07/2024 06:23 PM

Related issues 2 (0 open2 closed)

Related to Suricata - Bug #6634: tls: Invalid ja3 due to double client helloClosedPhilippe AntoineActions
Related to Suricata - Bug #7685: tls: Invalid ja4 due to double client helloRejectedOISF DevActions
Actions
Copy link
 #1

Updated by Victor Julien about 1 year ago

  • Related to Bug #6634: tls: Invalid ja3 due to double client hello added
Actions
Copy link
 #2

Updated by Philippe Antoine 15 days ago

  • Related to Bug #7685: tls: Invalid ja4 due to double client hello added
Actions
Copy link
 #3

Updated by Philippe Antoine 9 days ago

I do not reproduce with current master 1a13244b4b6a79dc30ff5a83bf5d1ce210352465 and
./src/suricata -c suricata.yaml -k none -S rules/tls-events.rules -l log -r 2230016-1715022109-192.168.0.34-59785-20.150.125.193-443.pcap

And ja4 matches the one from Wireshark...

Actions
Copy link
 #4

Updated by Philippe Antoine 9 days ago

And I see well the alert "SURICATA TLS multiple SNI extensions" on suricata-verify/tests/tls-duplicate-hello/input.pcap as I should

Actions
Copy link
 #5

Updated by Victor Julien 8 days ago

I don't think the multiple SNI warning is correct here. It is meant for detecting multiple sni's in a client hello, not this valid case where we get 2 client hello's.

Actions
Copy link

Also available in: Atom PDF