[Bro-Dev] [JIRA] (BIT-1178) SSL/TLS analyzer does not abort early enough on non-ssl connections

Bernhard Amann (JIRA) jira at bro-tracker.atlassian.net
Wed Apr 9 10:12:07 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1178?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16108#comment-16108 ] 

Bernhard Amann commented on BIT-1178:

I have looked at this a bit yesterday and...
the TLS analyzer has a few other small problems that I would like to fix before the next release.

To make a short list, so I don't forget anything:
* DPD might not work reliably with TLSv1.2
* The TLS state machine does not work reliably with anything that is not plain HTTPS. Even in HTTPS cases it will not always manage the full transition to encrypted state. This also means that the ssl-established event will not fire in a quite bit chunk of cases where the TLS connection already is established
* Due to state machine issues a few other events misfire, we can e.g. get alert events with encrypted alert values that make no sense
* The TLS protocol version detection in the analyzer seems to be broken-ish. I have quite a few traces that are not categorized correctly as TLS. This is a problem in master at the moment, because the tls connection will more or less be ignored.
* Not aborting early enough for some connections also is a Problem.

> SSL/TLS analyzer does not abort early enough on non-ssl connections
> -------------------------------------------------------------------
>                 Key: BIT-1178
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1178
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Bernhard Amann
>            Assignee: Bernhard Amann
>             Fix For: 2.3
> Some sites see quite a bit of non-ssl traffic on port 443. At the moment, the SSL analyzer manages to parse quite a lot of this non-ssl traffic and generates ssl-events for it (including sending things to the certificate analyzer which generates warnings).
> We should probably try to abort much earlier.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list