From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 6 Oct 2020 18:49:19 +0000 (+0200)
Subject: ssl: ensure the client version is valid by checking hello flags
X-Git-Tag: suricata-5.0.4~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b9408b24b9cad9bad281425d3bffe3d46fd99f78;p=thirdparty%2Fsuricata.git

ssl: ensure the client version is valid by checking hello flags
---

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index b6e5a7dcaa..19b3f131f7 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -2281,7 +2281,9 @@ static int SSLv3Decode(uint8_t direction, SSLState *ssl_state,
             if (ssl_state->flags & SSL_AL_FLAG_CHANGE_CIPHER_SPEC) {
                 /* In TLSv1.3, ChangeCipherSpec is only used for middlebox
                    compability (rfc8446, appendix D.4). */
-                if ((ssl_state->client_connp.version > TLS_VERSION_12) &&
+                // Client hello flags is needed to have a valid version
+                if ((ssl_state->flags & SSL_AL_FLAG_STATE_CLIENT_HELLO) &&
+                    (ssl_state->client_connp.version > TLS_VERSION_12) &&
                        ((ssl_state->flags & SSL_AL_FLAG_STATE_SERVER_HELLO) == 0)) {
                     /* do nothing */
                 } else {