From 98fd40a4b3fd833df245ce44bcf879f6186418eb Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 3 Sep 2024 15:37:00 +0200 Subject: [PATCH] tls/ja3: do not append to ja3 str once ja3 hash is computed Ticket: 6634 That means take only the first client hello into account. This way, we do not end with ja3 string with 9 commas... (cherry picked from commit 84735251b577a284af3795708786974fd30720b0) --- src/app-layer-ssl.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c index e5c1ed1eb0..907e06708b 100644 --- a/src/app-layer-ssl.c +++ b/src/app-layer-ssl.c @@ -844,7 +844,8 @@ static inline int TLSDecodeHSHelloCipherSuites(SSLState *ssl_state, goto invalid_length; } - const bool enable_ja3 = SC_ATOMIC_GET(ssl_config.enable_ja3); + const bool enable_ja3 = + SC_ATOMIC_GET(ssl_config.enable_ja3) && ssl_state->curr_connp->ja3_hash == NULL; if (enable_ja3 || SC_ATOMIC_GET(ssl_config.enable_ja4)) { JA3Buffer *ja3_cipher_suites = NULL; @@ -1314,7 +1315,9 @@ static inline int TLSDecodeHSHelloExtensions(SSLState *ssl_state, int ret; int rc; - const bool ja3 = (SC_ATOMIC_GET(ssl_config.enable_ja3) == 1); + // if ja3_hash is already computed, do not use new hello to augment ja3_str + const bool ja3 = + (SC_ATOMIC_GET(ssl_config.enable_ja3) == 1) && ssl_state->curr_connp->ja3_hash == NULL; JA3Buffer *ja3_extensions = NULL; JA3Buffer *ja3_elliptic_curves = NULL; -- 2.47.2