Project

General

Profile

Actions

Bug #7016

open

tls: hello retry request handling issues

Added by Victor Julien about 1 year ago. Updated 8 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Seeing ALERT: SURICATA TLS multiple SNI extensions after a client hello retry.

Also: version undetermined.


Files


Related issues 2 (0 open2 closed)

Related to Suricata - Bug #6634: tls: Invalid ja3 due to double client helloClosedPhilippe AntoineActions
Related to Suricata - Bug #7685: tls: Invalid ja4 due to double client helloRejectedOISF DevActions
Actions #1

Updated by Victor Julien about 1 year ago

  • Related to Bug #6634: tls: Invalid ja3 due to double client hello added
Actions #2

Updated by Philippe Antoine 15 days ago

  • Related to Bug #7685: tls: Invalid ja4 due to double client hello added
Actions #3

Updated by Philippe Antoine 9 days ago

I do not reproduce with current master 1a13244b4b6a79dc30ff5a83bf5d1ce210352465 and
./src/suricata -c suricata.yaml -k none -S rules/tls-events.rules -l log -r 2230016-1715022109-192.168.0.34-59785-20.150.125.193-443.pcap

And ja4 matches the one from Wireshark...

Actions #4

Updated by Philippe Antoine 9 days ago

And I see well the alert "SURICATA TLS multiple SNI extensions" on suricata-verify/tests/tls-duplicate-hello/input.pcap as I should

Actions #5

Updated by Victor Julien 8 days ago

I don't think the multiple SNI warning is correct here. It is meant for detecting multiple sni's in a client hello, not this valid case where we get 2 client hello's.

Actions

Also available in: Atom PDF