tls: avoid tls.invalid_handshake_message FP

Don't set TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE event on encrypted
handshake messages.

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 31ff59fc20fec95fb8a105586f0af1ac1f3b45bf..b5b113c202a1c79cbcfc1ef0d5eb6414ce2411f4 100644 (file)
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1635,7 +1635,13 @@ static int SSLv3ParseHandshakeProtocol(SSLState *ssl_state, const uint8_t *input
             input_len -= avail_record_len;
 
             SSLParserHSReset(ssl_state->curr_connp);
-            SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE);
+
+            if ((direction && (ssl_state->flags & SSL_AL_FLAG_SERVER_CHANGE_CIPHER_SPEC)) ||
+                    (!direction && (ssl_state->flags & SSL_AL_FLAG_CLIENT_CHANGE_CIPHER_SPEC))) {
+                // after Change Cipher Spec we get Encrypted Handshake Messages
+            } else {
+                SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE);
+            }
             continue;
         }