Detect SMTPs w/ STARTTLS as TLS and dissect client/server hello. Fixes #1630. (#1637)

* FTP needs to get updated as well as it has similiar STARTTLS semantics -> follow-up

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

1 files changed, 5 insertions, 3 deletions

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 481d1fbbc..47385de70 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -8034,7 +8034,9 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
   switch(proto) {
   case NDPI_PROTOCOL_TLS:
   case NDPI_PROTOCOL_DTLS:
-    if(flow->l4.tcp.tls.certificate_processed) return(0);
+    if(flow->l4.tcp.tls.certificate_processed ||
+       (flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 1 &&
+        flow->l4.tcp.ftp_imap_pop_smtp.auth_done == 1)) return(0);
 
     if(flow->l4.tcp.tls.num_tls_blocks <= ndpi_str->num_tls_blocks_to_follow) {
       // printf("*** %u/%u\n", flow->l4.tcp.tls.num_tls_blocks, ndpi_str->num_tls_blocks_to_follow);
@@ -8058,8 +8060,8 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
   case NDPI_PROTOCOL_MAIL_IMAP:
   case NDPI_PROTOCOL_MAIL_SMTP:
     if(flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0' &&
-       flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 0 &&
-       flow->l4.tcp.ftp_imap_pop_smtp.auth_done == 0)
+       (flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 1 ||
+        flow->l4.tcp.ftp_imap_pop_smtp.auth_done == 0))
       return(1);
     break;