Added check in TLS 1.2+ for reporting a risk when TLS is not used to carry HTTPS

author: Luca Deri <deri@ntop.org> 2020-06-08 14:20:10 +0200
committer: Luca Deri <deri@ntop.org> 2020-06-08 14:20:10 +0200
commit: 3506a0786482a47281444b66a7089f64ea2b439d (patch)
tree: 8bc0fbd6db0fbebf180f78b3b282fc6db66ada42 /src/lib/protocols/tls.c
parent: d318285caec168b2b8a813845ae7b93b7e078aa3 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 1abf494d5..26be13a6f 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1381,6 +1381,12 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 #endif
 	    }
 
+	    /* Before returning to the caller we need to make a final check */
+	    if((flow->protos.stun_ssl.ssl.ssl_version >= 0x0303) /* >= TLSv1.2 */
+	       && (flow->protos.stun_ssl.ssl.alpn == NULL) /* No ALPN */) {
+	      NDPI_SET_BIT(flow->risk, NDPI_TLS_NOT_CARRYING_HTTPS);
+	    }
+
 	    return(2 /* Client Certificate */);
 	  } else {
 #ifdef DEBUG_TLS
author	Luca Deri <deri@ntop.org>	2020-06-08 14:20:10 +0200
committer	Luca Deri <deri@ntop.org>	2020-06-08 14:20:10 +0200
commit	3506a0786482a47281444b66a7089f64ea2b439d (patch)
tree	8bc0fbd6db0fbebf180f78b3b282fc6db66ada42 /src/lib/protocols/tls.c
parent	d318285caec168b2b8a813845ae7b93b7e078aa3 (diff)