Bug #7016
open
tls: hello retry request handling issues
Added by Victor Julien about 1 year ago.
Updated 9 days ago.
Description
Seeing ALERT: SURICATA TLS multiple SNI extensions after a client hello retry.
Also: version undetermined.
Files
- Related to Bug #6634: tls: Invalid ja3 due to double client hello added
- Related to Bug #7685: tls: Invalid ja4 due to double client hello added
I do not reproduce with current master 1a13244b4b6a79dc30ff5a83bf5d1ce210352465 and
./src/suricata -c suricata.yaml -k none -S rules/tls-events.rules -l log -r 2230016-1715022109-192.168.0.34-59785-20.150.125.193-443.pcap
And ja4 matches the one from Wireshark...
And I see well the alert "SURICATA TLS multiple SNI extensions" on suricata-verify/tests/tls-duplicate-hello/input.pcap as I should
I don't think the multiple SNI warning is correct here. It is meant for detecting multiple sni's in a client hello, not this valid case where we get 2 client hello's.
Also available in: Atom
PDF