output-json-tls: don't log as "resumed" without ServerHello

Don't log a session as "resumed" if a ServerHello record has not been
seen. This makes sure that incomplete TLS sessions where the ClientHello
contains a session ticket, is not logged as a session resumption.

diff --git a/src/output-json-tls.c b/src/output-json-tls.c
index 1f7f909b967b3aaee6c13d446723e09eb46077a4..68f87dcad8c8a96f2830b64172c0a837cfb948a5 100644 (file)
--- a/src/output-json-tls.c
+++ b/src/output-json-tls.c
@@ -135,6 +135,7 @@ static void JsonTlsLogSessionResumed(json_t *js, SSLState *ssl_state)
            been seen, and the session is not TLSv1.3 or later. */
         if ((ssl_state->server_connp.cert0_issuerdn == NULL &&
                ssl_state->server_connp.cert0_subject == NULL) &&
+               (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
                ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
             json_object_set_new(js, "session_resumed", json_boolean(true));
         }