From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Fri, 21 Sep 2018 06:03:26 +0000 (+0200)
Subject: tlslog: don't log as "resumed" without ServerHello
X-Git-Tag: suricata-4.1.0-rc2~31
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8c3f1aa7a5735bd92d410c19ff7898aa05502079;p=thirdparty%2Fsuricata.git

tlslog: don't log as "resumed" without ServerHello

Don't log a session as "resumed" if a ServerHello record has not been
seen. This makes sure that incomplete TLS sessions where the ClientHello
contains a session ticket, is not logged as a session resumption.
---

diff --git a/src/log-tlslog.c b/src/log-tlslog.c
index 9ee272611c..b9518aeaf1 100644
--- a/src/log-tlslog.c
+++ b/src/log-tlslog.c
@@ -475,6 +475,7 @@ static int LogTlsLogger(ThreadVars *tv, void *thread_data, const Packet *p,
                been seen. */
             if ((ssl_state->server_connp.cert0_issuerdn == NULL) &&
                     (ssl_state->server_connp.cert0_subject == NULL) &&
+                    (ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) &&
                     ((ssl_state->flags & SSL_AL_FLAG_LOG_WITHOUT_CERT) == 0)) {
                 MemBufferWriteString(aft->buffer, " Session='resumed'");
             }