Actions
Bug #7016
opentls: hello retry request handling issues
Affected Versions:
Effort:
Difficulty:
Label:
Description
Seeing ALERT: SURICATA TLS multiple SNI extensions after a client hello retry.
Also: version undetermined.
Files
Updated by Victor Julien about 1 year ago
- Related to Bug #6634: tls: Invalid ja3 due to double client hello added
Updated by Philippe Antoine 15 days ago
- Related to Bug #7685: tls: Invalid ja4 due to double client hello added
Updated by Philippe Antoine 9 days ago
I do not reproduce with current master 1a13244b4b6a79dc30ff5a83bf5d1ce210352465 and./src/suricata -c suricata.yaml -k none -S rules/tls-events.rules -l log -r 2230016-1715022109-192.168.0.34-59785-20.150.125.193-443.pcap
And ja4 matches the one from Wireshark...
Updated by Philippe Antoine 9 days ago
And I see well the alert "SURICATA TLS multiple SNI extensions" on suricata-verify/tests/tls-duplicate-hello/input.pcap as I should
Updated by Victor Julien 8 days ago
I don't think the multiple SNI warning is correct here. It is meant for detecting multiple sni's in a client hello, not this valid case where we get 2 client hello's.
Actions