Added detection of self-signed TLS certificates

6 files changed, 18 insertions, 4 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index d1536c4da..4751c37ac 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -57,6 +57,7 @@ typedef enum {
   NDPI_URL_POSSIBLE_RCE_INJECTION,
   NDPI_BINARY_APPLICATION_TRANSFER,
   NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT,
+  NDPI_TLS_SELFSIGNED_CERTIFICATE,
 
   /* Leave this as last member */
   NDPI_MAX_RISK
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 4eec5d906..2fa21e220 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1410,14 +1410,22 @@ const char* ndpi_risk2str(ndpi_risk risk) {
   switch(risk) {
   case NDPI_URL_POSSIBLE_XSS:
     return("XSS attack");
+
   case NDPI_URL_POSSIBLE_SQL_INJECTION:
     return("SQL injection");
+
   case NDPI_URL_POSSIBLE_RCE_INJECTION:
     return("RCE injection");
+
   case NDPI_BINARY_APPLICATION_TRANSFER:
     return("Binary application transfer");
+
   case NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT:
     return("Known protocol on non standard port");
+
+  case NDPI_TLS_SELFSIGNED_CERTIFICATE:
+    return("Self-signed Certificate");
+    
   default:  
     return("");
   }
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 171d7c489..655d61ed6 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -450,6 +450,11 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
   }
 
   if(rdn_len) flow->protos.stun_ssl.ssl.subjectDN = strdup(rdnSeqBuf);
+
+  if(flow->protos.stun_ssl.ssl.subjectDN && flow->protos.stun_ssl.ssl.subjectDN
+     && (!strcmp(flow->protos.stun_ssl.ssl.subjectDN, flow->protos.stun_ssl.ssl.issuerDN)))
+    NDPI_SET_BIT_16(flow->risk, NDPI_TLS_SELFSIGNED_CERTIFICATE);
+      
 #if DEBUG_TLS
   printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf);
 #endif
diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out
index 68ad2e179..07af9cba0 100644
--- a/tests/result/KakaoTalk_talk.pcap.out
+++ b/tests/result/KakaoTalk_talk.pcap.out
@@ -15,8 +15,8 @@ JA3 Host Stats:
 
 	1	UDP 10.24.82.188:11320 <-> 1.201.1.174:23044 [proto: 87/RTP][cat: Media/1][757 pkts/106335 bytes <-> 746 pkts/93906 bytes][Goodput ratio: 69/65][45.42 sec][bytes ratio: 0.062 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 57/48 202/340 49/48][Pkt Len c2s/s2c min/avg/max/stddev: 99/99 140/126 234/236 43/33][PLAIN TEXT (46yOXQ)]
 	2	UDP 10.24.82.188:10268 <-> 1.201.1.174:23046 [proto: 87/RTP][cat: Media/1][746 pkts/93906 bytes <-> 742 pkts/104604 bytes][Goodput ratio: 65/69][45.02 sec][bytes ratio: -0.054 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 5/0 58/49 112/476 23/54][Pkt Len c2s/s2c min/avg/max/stddev: 99/99 126/141 236/234 33/43][PLAIN TEXT (46yOXQ)]
-	3	TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 91/TLS][cat: Web/5][22 pkts/5326 bytes <-> 18 pkts/5212 bytes][Goodput ratio: 72/76][51.59 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 14/0 2358/3528 20472/21237 5098/5912][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 242/290 878/920 254/276][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Issuer: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Subject: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA]
-	4	TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91/TLS][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][Goodput ratio: 64/73][52.84 sec][bytes ratio: -0.133 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 691/1317 6069/10226 1399/2632][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 190/260 814/920 164/241][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Issuer: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Subject: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA]
+	3	TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 91/TLS][cat: Web/5][22 pkts/5326 bytes <-> 18 pkts/5212 bytes][Goodput ratio: 72/76][51.59 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 14/0 2358/3528 20472/21237 5098/5912][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 242/290 878/920 254/276][Risk: ** Self-signed Certificate **][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Issuer: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Subject: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA]
+	4	TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 91/TLS][cat: Web/5][23 pkts/4380 bytes <-> 22 pkts/5728 bytes][Goodput ratio: 64/73][52.84 sec][bytes ratio: -0.133 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 2/0 691/1317 6069/10226 1399/2632][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 190/260 814/920 164/241][Risk: ** Self-signed Certificate **][TLSv1][JA3C: 4b79ae67eb3b2cf1c75e68ea0100ca1b][JA3S: 4ea82b75038dd27e8a1cb69d8b839b26 (WEAK)][Issuer: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Subject: C=KR, L=Seoul, O=Kakao, CN=Kakao.com][Certificate SHA-1: 65:88:37:51:01:AA:1F:12:E4:44:27:52:F9:32:FD:40:94:C1:08:D9][Validity: 2011-12-05 09:19:25 - 2021-12-02 09:19:25][Cipher: TLS_RSA_WITH_AES_128_CBC_SHA]
 	5	TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 91.119/TLS.Facebook][cat: SocialNetwork/6][15 pkts/2932 bytes <-> 14 pkts/1092 bytes][Goodput ratio: 71/27][1.96 sec][bytes ratio: 0.457 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 141/117 494/295 163/92][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 195/78 735/189 228/35][TLSv1][JA3C: dff8a0aa1c904aaea76c5bf624e88333][JA3S: 07dddc59e60135c7b479d39c3ae686af][Cipher: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA]
 	6	UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][12 pkts/1692 bytes <-> 10 pkts/1420 bytes][Goodput ratio: 69/69][45.10 sec][bytes ratio: 0.087 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1062/3176 4203/4247 4716/5160 1131/719][Pkt Len c2s/s2c min/avg/max/stddev: 122/142 141/142 150/142 6/0]
 	7	UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][cat: VoIP/10][11 pkts/1542 bytes <-> 11 pkts/1542 bytes][Goodput ratio: 69/69][43.84 sec][bytes ratio: 0.000 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1105/1052 4266/3766 4903/4991 1245/1144][Pkt Len c2s/s2c min/avg/max/stddev: 122/122 140/140 142/142 6/6]
diff --git a/tests/result/anyconnect-vpn.pcap.out b/tests/result/anyconnect-vpn.pcap.out
index 550c3ac7f..f92ad82f0 100644
--- a/tests/result/anyconnect-vpn.pcap.out
+++ b/tests/result/anyconnect-vpn.pcap.out
@@ -24,7 +24,7 @@ JA3 Host Stats:
 	1	UDP 10.0.0.227:54107 <-> 8.37.102.91:443 [proto: 161/CiscoVPN][cat: VPN/2][1413 pkts/395331 bytes <-> 1028 pkts/497166 bytes][Goodput ratio: 85/91][20.52 sec][bytes ratio: -0.114 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/13 669/953 35/48][Pkt Len c2s/s2c min/avg/max/stddev: 135/90 280/484 1511/1511 283/514][PLAIN TEXT (m@GOC.)]
 	2	TCP 10.0.0.227:56929 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][48 pkts/9073 bytes <-> 44 pkts/18703 bytes][Goodput ratio: 65/84][21.89 sec][bytes ratio: -0.347 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/11 97/138 21/26][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 189/425 1514/1514 246/579][TLSv1.2][JA3C: c9f0b47c9805f516e6d3900cb51f7841][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K][Subject: C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
 	3	TCP 10.0.0.227:56919 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][28 pkts/9088 bytes <-> 26 pkts/16944 bytes][Goodput ratio: 80/90][23.14 sec][ALPN: http/1.1][bytes ratio: -0.302 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1048/487 11570/9008 2987/2009][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 325/652 1514/1514 494/646][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K][Subject: C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
-	4	TCP 10.0.0.227:56921 <-> 8.37.96.194:4287 [proto: 91/TLS][cat: Web/5][29 pkts/5373 bytes <-> 28 pkts/7580 bytes][Goodput ratio: 64/75][2.30 sec][bytes ratio: -0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 91/63 593/619 145/135][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 185/271 1261/1434 259/387][TLSv1.2][JA3C: e3adec914f3893f18136762f1c0d7d81][JA3S: e54965894d6b45ecb4323c7ea3d6c115][Issuer: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Subject: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Certificate SHA-1: 86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E][Validity: 2019-08-29 00:12:40 - 2019-10-08 00:12:40][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
+	4	TCP 10.0.0.227:56921 <-> 8.37.96.194:4287 [proto: 91/TLS][cat: Web/5][29 pkts/5373 bytes <-> 28 pkts/7580 bytes][Goodput ratio: 64/75][2.30 sec][bytes ratio: -0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 91/63 593/619 145/135][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 185/271 1261/1434 259/387][Risk: ** Self-signed Certificate **][TLSv1.2][JA3C: e3adec914f3893f18136762f1c0d7d81][JA3S: e54965894d6b45ecb4323c7ea3d6c115][Issuer: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Subject: CN=813845657003339838, O=Code42, OU=TEST, ST=MN, C=US][Certificate SHA-1: 86:2A:47:EF:00:68:79:60:7F:94:E2:91:6F:E0:38:82:37:8A:8E:2E][Validity: 2019-08-29 00:12:40 - 2019-10-08 00:12:40][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
 	5	TCP 10.0.0.227:56918 <-> 8.37.102.91:443 [proto: 91/TLS][cat: Web/5][16 pkts/2739 bytes <-> 14 pkts/7315 bytes][Goodput ratio: 61/87][0.35 sec][ALPN: http/1.1][bytes ratio: -0.455 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 23/26 48/88 21/29][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 171/522 1175/1514 274/624][TLSv1.2][JA3C: 9f1a41f932f274fe47a992310a26a23a][ServerNames: *.pandion.viasat.com,pandion.viasat.com][JA3S: 82f0d8a75fa483d1cfe4b7085b784d7e (WEAK)][Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K][Subject: C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com][Certificate SHA-1: 92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA][Validity: 2019-02-05 21:43:58 - 2021-02-05 22:13:57][Cipher: TLS_RSA_WITH_AES_256_CBC_SHA]
 	6	TCP 10.0.0.227:56920 <-> 99.86.34.156:443 [proto: 91.118/TLS.Slack][cat: Collaborative/15][16 pkts/2949 bytes <-> 11 pkts/1876 bytes][Goodput ratio: 64/61][11.47 sec][ALPN: h2;http/1.1][bytes ratio: 0.222 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 866/28 11074/80 2947/34][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 184/171 853/487 228/155][TLSv1.2][Client: slack.com][JA3C: d8dc5f8940df366b3a58b935569143e8][JA3S: 7bee5c1d424b7e5f943b06983bb11422][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
 	7	TCP 10.0.0.227:56884 <-> 184.25.56.77:80 [proto: 7/HTTP][cat: Web/5][12 pkts/2303 bytes <-> 7 pkts/2382 bytes][Goodput ratio: 67/81][18.51 sec][Host: detectportal.firefox.com][bytes ratio: -0.017 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/31 1824/3642 10081/10083 3593/4385][Pkt Len c2s/s2c min/avg/max/stddev: 54/66 192/340 373/450 153/173][URL: detectportal.firefox.com/success.txt?ipv4[StatusCode: 200][UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0][PLAIN TEXT (GET /success.txt)]
diff --git a/tests/result/selfsigned.pcap.out b/tests/result/selfsigned.pcap.out
index 1bd3d577e..5a3e96fcd 100644
--- a/tests/result/selfsigned.pcap.out
+++ b/tests/result/selfsigned.pcap.out
@@ -5,4 +5,4 @@ JA3 Host Stats:
 	1	 127.0.0.1                	 1      
 
 
-	1	TCP 127.0.0.1:51607 <-> 127.0.0.1:3001 [proto: 91/TLS][cat: Web/5][10 pkts/1421 bytes <-> 10 pkts/2345 bytes][Goodput ratio: 60/76][0.05 sec][ALPN: h2;http/1.1][bytes ratio: -0.245 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/7 32/32 10/11][Pkt Len c2s/s2c min/avg/max/stddev: 56/44 142/234 573/1413 156/408][TLSv1.2][Client: localhost][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA3S: 0debd3853f330c574b05e0b6d882dc27][Issuer: C=IT, ST=Some-State, O=ntop.org][Subject: C=IT, ST=Some-State, O=ntop.org][Certificate SHA-1: AF:CC:98:49:F2:00:0E:05:21:18:6C:77:5F:2A:CF:10:44:6E:D8:8B][Validity: 2015-10-10 15:55:47 - 2016-10-09 15:55:47][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
+	1	TCP 127.0.0.1:51607 <-> 127.0.0.1:3001 [proto: 91/TLS][cat: Web/5][10 pkts/1421 bytes <-> 10 pkts/2345 bytes][Goodput ratio: 60/76][0.05 sec][ALPN: h2;http/1.1][bytes ratio: -0.245 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 5/7 32/32 10/11][Pkt Len c2s/s2c min/avg/max/stddev: 56/44 142/234 573/1413 156/408][Risk: ** Self-signed Certificate **][TLSv1.2][Client: localhost][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA3S: 0debd3853f330c574b05e0b6d882dc27][Issuer: C=IT, ST=Some-State, O=ntop.org][Subject: C=IT, ST=Some-State, O=ntop.org][Certificate SHA-1: AF:CC:98:49:F2:00:0E:05:21:18:6C:77:5F:2A:CF:10:44:6E:D8:8B][Validity: 2015-10-10 15:55:47 - 2016-10-09 15:55:47][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]